diff options
| author | Tzu-Mainn Chen <tzumainn@redhat.com> | 2021-09-30 20:41:47 +0000 |
|---|---|---|
| committer | Tzu-Mainn Chen <tzumainn@redhat.com> | 2021-10-25 21:18:57 +0000 |
| commit | 42b03703af02277e63c6f62378b27258ed240191 (patch) | |
| tree | 7980088d9731e57a614e8a1c1f8289876c8c8e41 /ironic/api | |
| parent | 2ff7f553c08ab74c4b09763110e43168b44d638c (diff) | |
| download | ironic-42b03703af02277e63c6f62378b27258ed240191.tar.gz | |
Fix restricted allocation creation for old policy defaults
The logic for restricted allocation creation checks that the
user is not trying to create an allocation with an owner other
than themselves. However the logic as it stands will always fail,
as it does not check if the user actually set an allocation owner.
Change-Id: I780d8e88f9319dc37ab56309bddbfb6b5f3c9d13
Diffstat (limited to 'ironic/api')
| -rw-r--r-- | ironic/api/controllers/v1/allocation.py | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/ironic/api/controllers/v1/allocation.py b/ironic/api/controllers/v1/allocation.py index 73aca3a51..ab6c6e541 100644 --- a/ironic/api/controllers/v1/allocation.py +++ b/ironic/api/controllers/v1/allocation.py @@ -323,9 +323,11 @@ class AllocationsController(pecan.rest.RestController): except exception.HTTPForbidden: cdict = api.request.context.to_policy_values() project = cdict.get('project_id') - if project and project != allocation.get('owner'): + if (project and allocation.get('owner') + and project != allocation.get('owner')): raise - if project and not CONF.oslo_policy.enforce_new_defaults: + if (allocation.get('owner') + and not CONF.oslo_policy.enforce_new_defaults): api_utils.check_policy('baremetal:allocation:create_pre_rbac') api_utils.check_policy('baremetal:allocation:create_restricted') self._check_allowed_allocation_fields(allocation) |