winterhazel commented on code in PR #13149:
URL: https://github.com/apache/cloudstack/pull/13149#discussion_r3320265882
##########
server/src/main/java/com/cloud/user/AccountManagerImpl.java:
##########
@@ -3320,6 +3320,10 @@ private Boolean isAccessingKeypairSuperset(ApiKeyPair
accessedKeyPair, BaseCmd c
return Boolean.TRUE;
}
ApiKeyPair accessingKeyPair = apiKeyPairService.findByApiKey(apiKey);
+ if (accessingKeyPair == null) {
+ logger.warn("Unable to find API key pair for the accessing API
key: {}", apiKey);
+ return Boolean.TRUE;
Review Comment:
I think that it is better to return `false` here instead. Could you have a
look @bernardodemarco?
This method validates whether the keypair being used is a superset of the
keypair being accessed in order to prevent a key with less privileges to get
keys with more privileges. `true` is returned when an `apiKey` is not being
used to call the API, which makes sense as this check is not necessary in this
case. However, as a keypair is being used here, I think that it would make more
sense to either inform that it is not a superset, as we could not obtain the
key to confirm, or throw a runtime exception.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
