diff options
Diffstat (limited to 'keystone/api/credentials.py')
-rw-r--r-- | keystone/api/credentials.py | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/keystone/api/credentials.py b/keystone/api/credentials.py index 9487f1914..08a492c1d 100644 --- a/keystone/api/credentials.py +++ b/keystone/api/credentials.py @@ -101,13 +101,22 @@ class CredentialResource(ks_flask.ResourceBase): # If the request was filtered, make sure to return only the # credentials specific to that user. This makes it so that users with # roles on projects can't see credentials that aren't theirs. - if (not self.oslo_context.system_scope and - CONF.oslo_policy.enforce_scope): - filtered_refs = [] - for ref in refs: - if ref['user_id'] == target['credential']['user_id']: - filtered_refs.append(ref) - refs = filtered_refs + filtered_refs = [] + for ref in refs: + # Check each credential again to make sure the user has access to + # it, either by owning it, being a project admin with + # enforce_scope=false, being a system user, or having some other + # custom policy that allows access. + try: + cred = PROVIDERS.credential_api.get_credential(ref['id']) + ENFORCER.enforce_call( + action='identity:get_credential', + target_attr={'credential': cred} + ) + filtered_refs.append(ref) + except exception.Forbidden: + pass + refs = filtered_refs refs = [self._blob_to_json(r) for r in refs] return self.wrap_collection(refs, hints=hints) |