[jira] [Commented] (CLOUDSTACK-10434) some APIs need access check

ASF subversion and git services (Jira) Mon, 26 Apr 2021 02:10:15 -0700


    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10434?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331919#comment-17331919
 ]


ASF subversion and git services commented on CLOUDSTACK-10434:
--------------------------------------------------------------

Commit f8ba33d5703035facab88106b60923d797aa852b in cloudstack's branch 
refs/heads/master from lujiefsi
[ https://gitbox.apache.org/repos/asf?p=cloudstack.git;h=f8ba33d ]

server: Some APIs should have access check (#4859)

This PR fixes the CLOUDSTACK-10434. I think some APIs lack access check and 
list them in below table. I also give the pattch to add the access check for 
the api in this table. Anyone chould change this table, If you think the APIs 
do not need access check and change their lable as "no".

API     Lack?
VolumeApiServiceImpl # updateVolume     yes
VolumeApiServiceImpl # detachVolumeViaDestroyVM yes
VolumeApiServiceImpl # takeSnapshot     yes
VolumeApiServiceImpl # migrateVolume    yes
AccountManagerImpl#createApiKeyAndSecretKey     yes
LoadBalancingRulesManagerImpl#applyLBStickinessPolicy   yes
LoadBalancingRulesManagerImpl#applyLBHealthCheckPolicy  yes
TemplateManagerImpl#createPrivateTemplate       yes
SnapshotManagerImpl#updateSnapshotPolicy

Co-authored-by: lujie <lu...@foxmail.com>

> some APIs need access check
> ---------------------------
>
>                 Key: CLOUDSTACK-10434
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10434
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: lujie
>            Priority: Blocker
>
> I think some APIs in  VolumeApiServiceImpl  lack access check. I will list 
> them in below table. Anyone chould change this table. If you think the APIs 
> do not need access check, change its lable as  "no".
> ||API||Lack?||
> |VolumeApiServiceImpl # updateVolume|yes|
> |VolumeApiServiceImpl # detachVolumeViaDestroyVM|yes|
> |VolumeApiServiceImpl # takeSnapshot|yes|
> |VolumeApiServiceImpl # migrateVolume|yes|
> |AccountManagerImpl#createApiKeyAndSecretKey |yes|
> |LoadBalancingRulesManagerImpl.applyLBStickinessPolicy|yes|
> |TemplateManagerImpl#createPrivateTemplate|yes|
> |SnapshotManagerImpl#updateSnapshotPolicy|yes|



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (CLOUDSTACK-10434) some APIs need access check

Reply via email to