[GitHub] [trafficcontrol] rawlinp opened a new issue, #7047: TO /api/4.0/servers/:hostname/update should allow setting `config_apply_time` and `revalidate_apply_time` even if user doesn't have the lock

Tue, 30 Aug 2022 10:14:51 -0700 


rawlinp opened a new issue, #7047:
URL: https://github.com/apache/trafficcontrol/issues/7047

   <!--
   ************ STOP!! ************
   If this issue identifies a security vulnerability, DO NOT submit it! 
Instead, contact
   the Apache Traffic Control Security Team at 
secur...@trafficcontrol.apache.org and follow the
   guidelines at https://apache.org/security regarding vulnerability disclosure.
   
   - For *SUPPORT QUESTIONS*, use the #traffic-control channel on the ASF slack 
(https://s.apache.org/tc-slack-request)
   or the Traffic Control Users mailing list (send an email to 
users-subscr...@trafficcontrol.apache.org to subscribe).
   - Before submitting, please **SEARCH GITHUB** for a similar issue or PR
       * https://github.com/apache/trafficcontrol/issues
       * https://github.com/apache/trafficcontrol/pulls
   -->
   
   <!-- Do not submit security vulnerabilities or support requests here - see 
above -->
   ## This Bug Report affects these Traffic Control components:
   <!-- delete all those that don't apply -->
   - Traffic Ops
   
   ## Current behavior:
   <!-- Describe how the bug happens -->
   If a CDN is locked and a user tries to call `POST 
/api/4.0/servers/:hostname/update` with the query parameters 
`config_apply_time` or `revalidate_apply_time` for a server in that CDN but the 
user doesn't hold the lock, TO denies the request with a 403.
   
   ## Expected behavior:
   <!-- Describe what the behavior would be without the bug -->
   The aforementioned call should not return a 403 if the query parameters 
`config_apply_time` or `revalidate_apply_time` are used. This would allow 
caches to un-queue themselves after applying updates/revalidations even if the 
CDN is locked.
   
   ## Steps to reproduce:
   <!-- If the current behavior is a bug, please provide the *STEPS TO 
REPRODUCE* and
   include the applicable TC version.
   -->
   As user A, lock the CDN. As user B, attempt to make the aforementioned 
request and observe the 403.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@trafficcontrol.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to