ocket8888 opened a new issue #5015: URL: https://github.com/apache/trafficcontrol/issues/5015
## I'm submitting a ... - bug report ## Traffic Control components affected ... - Traffic Ops ## Current behavior: When submitting a POST request to `/deliveryservice_requests`, if the request body's `deliveryservice` object has no `tenantId` property (or probably also `null` but I haven't checked) the handler will return a 500 Internal Server Error to the client. Also, the Tenant ID checked for user access is whatever the user submitted, - **not** the actual Tenant of the Delivery Service. In this way, a `change` or `delete` request can be submitted by a user who does not have permission to modify that Delivery Service. So a user with a Tenant ID of 3, which is a child of Tenant 1 can legally submit a request for any Delivery Service accessible to 1 by simply replacing the `tentantId` property of the `deliveryservice` object with their own Tenant's ID. ## Expected / new behavior: If a property is required, then omitting it should cause a 400 Bad Request response with an appropriate `alerts` entry describing the problem. ## Minimal reproduction of the problem with instructions: Make a POST request to `/deliveryservice_requests` containing a syntactically valid DSR, but one wherein the `tenantId` of the `deliveryservice` object is undefined. Make a POST request to `/deliveryservice_requests` containing a `deliveryservice` inaccessible to the requesting Tenant, but with the `deliveryservice`'s `tentantId` modified to an accessible value. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
