[jira] [Commented] (TC-535) DS URL sig key apis needs to have tenancy check in place

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TC-535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16133277#comment-16133277
 ] 

ASF GitHub Bot commented on TC-535:
-----------------------------------

Github user mitchell852 commented on a diff in the pull request:

    
https://github.com/apache/incubator-trafficcontrol/pull/831#discussion_r134007307
  
    --- Diff: traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm ---
    @@ -134,17 +154,22 @@ sub generate {
        my $current_user = $self->current_user()->{username};
        &log( $self, "Generated new url_sig_keys for " . $xml_id, "APICHANGE" );
     
    +   my $tenant_utils = Utils::Tenant->new($self);
    +   my $tenants_data = $tenant_utils->create_tenants_data_from_db();
        my $rs = $self->db->resultset("Deliveryservice")->find( { xml_id => 
$xml_id } );
        my $ds_id;
        if ( defined($rs) ) {
                $ds_id = $rs->id;
    +           if (!$tenant_utils->is_ds_resource_accessible($tenants_data, 
$rs->tenant_id)) {
    +                   return $self->forbidden("Forbidden. Delivery-service 
tenant is not available to the user.");
    +           }
        }
     
        my $helper = new Utils::Helper( { mojo => $self } );
     
        # Admins can always do this, otherwise verify the user
        if ( ( defined($rs) && $helper->is_valid_delivery_service($ds_id) ) ) {
    -           if ( &is_admin($self) || 
$helper->is_delivery_service_assigned($ds_id) ) {
    +           if ( &is_admin($self) || 
$helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) {
    --- End diff --
    
    same comment as before


> DS URL sig key apis needs to have tenancy check in place
> --------------------------------------------------------
>
>                 Key: TC-535
>                 URL: https://issues.apache.org/jira/browse/TC-535
>             Project: Traffic Control
>          Issue Type: Bug
>          Components: Traffic Ops API
>    Affects Versions: 2.1.0
>            Reporter: Jeremy Mitchell
>            Assignee: Nir Sopher
>             Fix For: 2.1.0, 2.2.0
>
>
> Tenancy was introduced in 2.1, however, by default it is turned off via the 
> use_tenancy parameter but when activated it is used to limit the scope of 
> delivery services that a user can act on.
> The following APIs needs to check tenancy to ensure users cannot act on ds's 
> that they don't have access to.
> post("/api/$version/deliveryservices/xmlId/:xmlId/urlkeys/generate
> post("/api/$version/deliveryservices/xmlId/:xmlId/urlkeys/copyFromXmlId/:copyFromXmlId
> get("/api/$version/deliveryservices/xmlId/:xmlId/urlkeys



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)