)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"3c710b01d120103d40f936a73fd7e153df24d830","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"31329535_c5b73534","updated":"2024-03-12 00:57:52.000000000","message":"Based on the agreement in mail discussions I\u0027m merging this now","commit_id":"632998e218939002d199b52d7262bf8e633d2c2e"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"6afb1da81e68aeff7969056f1b6b19eef7cb119c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"b2423a9d_c75162da","updated":"2024-03-07 14:34:19.000000000","message":"recheck different job failed this time. random failure","commit_id":"632998e218939002d199b52d7262bf8e633d2c2e"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"1bf712182fe36b22c2ac4cc8ec5a2aeb2b5047ff","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"be6e4a2d_ada45da4","updated":"2024-03-07 12:32:32.000000000","message":"recheck irrelevant failure","commit_id":"632998e218939002d199b52d7262bf8e633d2c2e"}],"heat/api/openstack/v1/util.py":[{"author":{"_account_id":8833,"name":"Rabi Mishra","email":"ramishra@redhat.com","username":"rabi"},"change_message_id":"af6e39eb5ae1f3aa3afbba645b8058e68059975c","unresolved":true,"context_lines":[{"line_number":30,"context_line":"    @functools.wraps(handler)"},{"line_number":31,"context_line":"    def handle_stack_method(controller, req, tenant_id, **kwargs):"},{"line_number":32,"context_line":"        if req.context.is_admin and req.context.project_id:"},{"line_number":33,"context_line":"            tenant_id \u003d req.context.tenant_id"},{"line_number":34,"context_line":"        _target \u003d {\"project_id\": tenant_id}"},{"line_number":35,"context_line":"        if req.context.tenant_id !\u003d tenant_id:"},{"line_number":36,"context_line":"            raise exc.HTTPForbidden()"}],"source_content_type":"text/x-python","patch_set":1,"id":"60bdeaf9_148f41a9","line":33,"updated":"2024-02-06 04:03:00.000000000","message":"This looks like a hack. Did we break something recently? `req.context.tenant_id !\u003d tenant_id and not req.context.is_admin` is the check in there since ages.\n\nhttps://github.com/openstack/heat/blob/queens-eol/heat/api/openstack/v1/util.py#L46-L47","commit_id":"3e2ba6ba51a9f242e9eb7441825e2e1141a9a160"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"7c44f5632420d2b3ef4d4aed039ec5ee995e6033","unresolved":true,"context_lines":[{"line_number":30,"context_line":"    @functools.wraps(handler)"},{"line_number":31,"context_line":"    def handle_stack_method(controller, req, tenant_id, **kwargs):"},{"line_number":32,"context_line":"        if req.context.is_admin and req.context.project_id:"},{"line_number":33,"context_line":"            tenant_id \u003d req.context.tenant_id"},{"line_number":34,"context_line":"        _target \u003d {\"project_id\": tenant_id}"},{"line_number":35,"context_line":"        if req.context.tenant_id !\u003d tenant_id:"},{"line_number":36,"context_line":"            raise exc.HTTPForbidden()"}],"source_content_type":"text/x-python","patch_set":1,"id":"3b5e95f5_c4c11219","line":33,"in_reply_to":"60bdeaf9_148f41a9","updated":"2024-02-06 05:20:11.000000000","message":"The problem here is that new default policy has additional check about project_id[1] while we previously only checked role[2].\n\n[1] https://github.com/openstack/heat/blob/master/heat/policies/base.py#L24-L25\n[2] https://github.com/openstack/heat/blob/master/heat/policies/base.py#L17\n\nThe current logic works for the initial request, but if client tries to access the url returned by the initial repose (as is done in stack show command in heatclient), the policy check fails because the new request path contains the project id of the actual owner in url.","commit_id":"3e2ba6ba51a9f242e9eb7441825e2e1141a9a160"}]}