[ https://issues.apache.org/jira/browse/TC-535?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16133277#comment-16133277 ]
ASF GitHub Bot commented on TC-535: ----------------------------------- Github user mitchell852 commented on a diff in the pull request: https://github.com/apache/incubator-trafficcontrol/pull/831#discussion_r134007307 --- Diff: traffic_ops/app/lib/API/DeliveryService/KeysUrlSig.pm --- @@ -134,17 +154,22 @@ sub generate { my $current_user = $self->current_user()->{username}; &log( $self, "Generated new url_sig_keys for " . $xml_id, "APICHANGE" ); + my $tenant_utils = Utils::Tenant->new($self); + my $tenants_data = $tenant_utils->create_tenants_data_from_db(); my $rs = $self->db->resultset("Deliveryservice")->find( { xml_id => $xml_id } ); my $ds_id; if ( defined($rs) ) { $ds_id = $rs->id; + if (!$tenant_utils->is_ds_resource_accessible($tenants_data, $rs->tenant_id)) { + return $self->forbidden("Forbidden. Delivery-service tenant is not available to the user."); + } } my $helper = new Utils::Helper( { mojo => $self } ); # Admins can always do this, otherwise verify the user if ( ( defined($rs) && $helper->is_valid_delivery_service($ds_id) ) ) { - if ( &is_admin($self) || $helper->is_delivery_service_assigned($ds_id) ) { + if ( &is_admin($self) || $helper->is_delivery_service_assigned($ds_id) || $tenant_utils->use_tenancy()) { --- End diff -- same comment as before > DS URL sig key apis needs to have tenancy check in place > -------------------------------------------------------- > > Key: TC-535 > URL: https://issues.apache.org/jira/browse/TC-535 > Project: Traffic Control > Issue Type: Bug > Components: Traffic Ops API > Affects Versions: 2.1.0 > Reporter: Jeremy Mitchell > Assignee: Nir Sopher > Fix For: 2.1.0, 2.2.0 > > > Tenancy was introduced in 2.1, however, by default it is turned off via the > use_tenancy parameter but when activated it is used to limit the scope of > delivery services that a user can act on. > The following APIs needs to check tenancy to ensure users cannot act on ds's > that they don't have access to. > post("/api/$version/deliveryservices/xmlId/:xmlId/urlkeys/generate > post("/api/$version/deliveryservices/xmlId/:xmlId/urlkeys/copyFromXmlId/:copyFromXmlId > get("/api/$version/deliveryservices/xmlId/:xmlId/urlkeys -- This message was sent by Atlassian JIRA (v6.4.14#64029)