Github user mitchell852 commented on a diff in the pull request:
https://github.com/apache/incubator-trafficcontrol/pull/433#discussion_r110311384
--- Diff: traffic_ops/app/lib/API/Tenant.pm ---
@@ -162,11 +179,17 @@ sub create {
return $self->alert("Tenant name is required.");
}
+ #not allowing to create additional root tenants.
+ #there is no real problem with that, but no real use also
my $parent_id = $params->{parentId};
if ( !defined($parent_id) ) {
return $self->alert("Parent Id is required.");
}
+ if (!verify_tenancy_for_write($self, $params->{parentId})) {
--- End diff --
I don't understand why you need a verify_tenancy_for_read and
verify_tenancy_for_write
I thought if you got this far thru amir's new authentication/authorization
model, then you'd simply do a tenant test. for example, if i was trying to do:
PUT /api/tenant/5
i would first have to get thru the new AAA model and then there would be a
check that my user has tenant_id=5 (or a parent of 5) like so
if (!hasTenant(5)) { return $self->forbidden }
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
