)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"46a138c834a5a4f42fe1406733fd8e362060e05e","unresolved":true,"context_lines":[{"line_number":7,"context_line":"Properly handle InvalidScope exceptions"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Now that we\u0027re setting scope_types on policies, oslo.policy will throw"},{"line_number":10,"context_line":"an InvalidScope exception if configured to do so. We should hanlde this"},{"line_number":11,"context_line":"when we call enforcement so that we can bubble up an appropriate"},{"line_number":12,"context_line":"Forbidden exception to the user."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"8c294935_6143c9b5","line":10,"range":{"start_line":10,"start_character":60,"end_line":10,"end_character":66},"updated":"2021-02-19 14:51:51.000000000","message":"handle","commit_id":"cfd8a1af5bb3c1c7f1ea814d5cce086bc7daf322"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d7546dc511fa68c0ab9636b266ac085ccd2ad987","unresolved":false,"context_lines":[{"line_number":7,"context_line":"Properly handle InvalidScope exceptions"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Now that we\u0027re setting scope_types on policies, oslo.policy will throw"},{"line_number":10,"context_line":"an InvalidScope exception if configured to do so. We should hanlde this"},{"line_number":11,"context_line":"when we call enforcement so that we can bubble up an appropriate"},{"line_number":12,"context_line":"Forbidden exception to the user."},{"line_number":13,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":4,"id":"45f9a195_53debfa0","line":10,"range":{"start_line":10,"start_character":60,"end_line":10,"end_character":66},"in_reply_to":"8c294935_6143c9b5","updated":"2021-02-19 18:31:39.000000000","message":"Done","commit_id":"cfd8a1af5bb3c1c7f1ea814d5cce086bc7daf322"},{"author":{"_account_id":9303,"name":"Abhishek Kekane","email":"akekane@redhat.com","username":"abhishekkekane"},"change_message_id":"40de66217d3bf2370a1a2c04986c12373b2cb4dc","unresolved":true,"context_lines":[{"line_number":10,"context_line":"an InvalidScope exception if configured to do so. We should handle this"},{"line_number":11,"context_line":"when we call enforcement so that we can bubble up an appropriate"},{"line_number":12,"context_line":"Forbidden exception to the user."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"Change-Id: I50fe718d3b50af0d662fda6fa0fbd3e29783e063"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":7,"id":"72339139_af480fdf","line":13,"updated":"2021-02-23 10:27:40.000000000","message":"Should be tagged with\nRelated: blueprint secure-rbac","commit_id":"edc054c881d4db5e22acb0942fe46efb66db2194"}],"glance/api/policy.py":[{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"85a35b1d411b3e180cdaa97647827d864134937a","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                   do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                   exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                   action\u003daction)"},{"line_number":73,"context_line":"            return result"},{"line_number":74,"context_line":"        except policy.InvalidScope:"},{"line_number":75,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"5ec417bd_8bde7b55","line":73,"range":{"start_line":73,"start_character":0,"end_line":73,"end_character":25},"updated":"2021-02-17 19:07:39.000000000","message":"This is really nitpicking, but why do we use a variable here instead of using a return statement directly, as was done in the original code?","commit_id":"a9385741b50981be440df80e2152c775056726a3"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"167ae0813b867e5efb4a4d9ac386647313d2b82e","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                   do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                   exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                   action\u003daction)"},{"line_number":73,"context_line":"            return result"},{"line_number":74,"context_line":"        except policy.InvalidScope:"},{"line_number":75,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"ef2fcef4_9d1cc122","line":73,"range":{"start_line":73,"start_character":0,"end_line":73,"end_character":25},"in_reply_to":"5ec417bd_8bde7b55","updated":"2021-02-17 19:14:00.000000000","message":"This can be reverted. I don\u0027t have a good reason for using a variable outside of some tinkering I was doing locally.","commit_id":"a9385741b50981be440df80e2152c775056726a3"},{"author":{"_account_id":8122,"name":"Cyril Roelandt","email":"cyril@redhat.com","username":"cyril.roelandt.enovance"},"change_message_id":"54c7864fabed66e55b6c8fd8e0e2962c95217f17","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                   do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                   exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                   action\u003daction)"},{"line_number":73,"context_line":"            return result"},{"line_number":74,"context_line":"        except policy.InvalidScope:"},{"line_number":75,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":76,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"e45e0937_bf87a750","line":73,"range":{"start_line":73,"start_character":0,"end_line":73,"end_character":25},"in_reply_to":"ef2fcef4_9d1cc122","updated":"2021-02-19 02:21:35.000000000","message":"OK, don\u0027t worry about it then :)","commit_id":"a9385741b50981be440df80e2152c775056726a3"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"97666e9c76583c1a3ab7e10ed707c3b78e1c50b3","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                 do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                 exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                 action\u003daction)"},{"line_number":73,"context_line":"        except policy.InvalidScope:"},{"line_number":74,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"    def check(self, context, action, target, registered\u003dTrue):"}],"source_content_type":"text/x-python","patch_set":8,"id":"295ea725_e335bcba","line":73,"updated":"2021-02-23 18:23:07.000000000","message":"So is this an operator configuration bug? If so, we should probably log an error here instead of quietly papering over it, shouldn\u0027t we? Or will oslo.policy log something for us?","commit_id":"de30fa36aafecbff463b7bb72e6fc8bcf99f606b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"8133decd9594bcae7ac2d291dd4a638e627d1be1","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                 do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                 exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                 action\u003daction)"},{"line_number":73,"context_line":"        except policy.InvalidScope:"},{"line_number":74,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"    def check(self, context, action, target, registered\u003dTrue):"}],"source_content_type":"text/x-python","patch_set":8,"id":"2d8515da_3f12d213","line":73,"in_reply_to":"295ea725_e335bcba","updated":"2021-02-23 21:49:31.000000000","message":"I guess this could be an operator configuration bug depending on how you look at it.\n\nIf an operator forgot to give someone the `admin` role on the system and that person is still using an admin project-scoped token to do something, they\u0027ll hit this. In that case, the operator should probably update the authorization for that user.\n\nOn the other hand, if I\u0027m just a regular end user with the `member` role on a project and I keep trying to GET /v2/os-hypervisors, I\u0027ll hit this. But in that case, I don\u0027t think there is anything the operator should do, is there?","commit_id":"de30fa36aafecbff463b7bb72e6fc8bcf99f606b"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"55ac9b7a106957d7ef0b95cb212bba626dd79d85","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                 do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                 exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                 action\u003daction)"},{"line_number":73,"context_line":"        except policy.InvalidScope:"},{"line_number":74,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"    def check(self, context, action, target, registered\u003dTrue):"}],"source_content_type":"text/x-python","patch_set":8,"id":"8537f7a0_190b6e8d","line":73,"in_reply_to":"2d8515da_3f12d213","updated":"2021-02-23 22:28:07.000000000","message":"Ack, I guess it\u0027s a little iffy. Seems like it\u0027d be nice to give the operator something to go on, but obviously don\u0027t want this to become a log-spam source. We can follow up with a LOG here later anyway, so I\u0027ll just get this going.","commit_id":"de30fa36aafecbff463b7bb72e6fc8bcf99f606b"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"0cf9ae89086e1bb89d5029f1d782778407b78ecc","unresolved":true,"context_lines":[{"line_number":70,"context_line":"                                                 do_raise\u003dTrue,"},{"line_number":71,"context_line":"                                                 exc\u003dexception.Forbidden,"},{"line_number":72,"context_line":"                                                 action\u003daction)"},{"line_number":73,"context_line":"        except policy.InvalidScope:"},{"line_number":74,"context_line":"            raise exception.Forbidden(action\u003daction)"},{"line_number":75,"context_line":""},{"line_number":76,"context_line":"    def check(self, context, action, target, registered\u003dTrue):"}],"source_content_type":"text/x-python","patch_set":8,"id":"eb4eaaa7_0dc12176","line":73,"in_reply_to":"8537f7a0_190b6e8d","updated":"2021-02-23 22:29:43.000000000","message":"Ack - good idea. Thanks!","commit_id":"de30fa36aafecbff463b7bb72e6fc8bcf99f606b"}],"glance/tests/unit/test_policy.py":[{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"46a138c834a5a4f42fe1406733fd8e362060e05e","unresolved":true,"context_lines":[{"line_number":352,"context_line":"        context \u003d glance.context.RequestContext("},{"line_number":353,"context_line":"            user_id\u003d\u0027user\u0027, project_id\u003d\u0027project\u0027, roles\u003d[\u0027bar\u0027])"},{"line_number":354,"context_line":"        self.assertTrue(enforcer.enforce(context, \u0027foo\u0027, {}))"},{"line_number":355,"context_line":""},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"},{"line_number":358,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"69d431b3_d2360761","line":355,"updated":"2021-02-19 14:51:51.000000000","message":"This is just preference, but when you\u0027re literally testing that one knob changes a behavior, it is nice to put the full behavior in a helper and then have two top-levels that call the inner with the flag either way. You can assertRaises(inner) on the fail-y one. That way we know it\u0027s just the flag and not a typo or subtle change in the should-be-identical setup code.","commit_id":"cfd8a1af5bb3c1c7f1ea814d5cce086bc7daf322"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d7546dc511fa68c0ab9636b266ac085ccd2ad987","unresolved":false,"context_lines":[{"line_number":352,"context_line":"        context \u003d glance.context.RequestContext("},{"line_number":353,"context_line":"            user_id\u003d\u0027user\u0027, project_id\u003d\u0027project\u0027, roles\u003d[\u0027bar\u0027])"},{"line_number":354,"context_line":"        self.assertTrue(enforcer.enforce(context, \u0027foo\u0027, {}))"},{"line_number":355,"context_line":""},{"line_number":356,"context_line":""},{"line_number":357,"context_line":"class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):"},{"line_number":358,"context_line":""}],"source_content_type":"text/x-python","patch_set":4,"id":"0d651131_4375865b","line":355,"in_reply_to":"69d431b3_d2360761","updated":"2021-02-19 18:31:39.000000000","message":"Done","commit_id":"cfd8a1af5bb3c1c7f1ea814d5cce086bc7daf322"}]}