Marcus Christie created AIRAVATA-3298:
-----------------------------------------
Summary: Project methods are broken since they use the
Project.owner instead of the authenticating user
Key: AIRAVATA-3298
URL: https://issues.apache.org/jira/browse/AIRAVATA-3298
Project: Airavata
Issue Type: Bug
Components: Airavata API, Security
Reporter: Marcus Christie
The following API server project methods are not correctly using the username
in the AuthzToken
* createProject - this creates the project as an entity owned by the
project.owner without first checking that the project.owner is the
authenticating user. This allows a user to create a project belonging to
another user
* getUserProjects - this allows retrieval of projects belonging to the passed
in userName parameter. The userName parameter should be deprecated and no
longer used and the authenticating user from the AuthzToken should be used
instead
* searchProjects - same issue as with getUserProjects
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
