)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"c2f53402d12fa73a75d2eb89d1c3348adf2db0f2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"59a577fd_ffa79af9","updated":"2024-10-04 10:04:45.000000000","message":"recheck infra failure","commit_id":"5cf620a088b5e5d97f5eff01f797a8e2c8eb81dc"}],"keystone/api/projects.py":[{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"9b078157d10596089e722f1579ad15f6e8a8d8d9","unresolved":true,"context_lines":[{"line_number":98,"context_line":"            )"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"    @validation.response_body_schema(schema.get_response_body)"},{"line_number":101,"context_line":"    def get(self, project_id: str):"},{"line_number":102,"context_line":"        \"\"\"Get project."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"        GET/HEAD /v3/projects/{project_id}"}],"source_content_type":"text/x-python","patch_set":3,"id":"4d7e4d5e_d2211057","line":101,"updated":"2024-07-03 14:20:02.000000000","message":"This will lead to a change in behaviour. Previously the enforcer call came first and you\u0027d get a HTTP 403 if that failed, regardless of the validity of the body. Now, we\u0027ll do schema checks first and those will return HTTP 400 if invalid.\n\nTwo questions:\n\n* Do we care from an API versioning perspective? I would assume an error is an error and we can change things as we see fit, but we should probably confirm this.\n* Is there any change of leaking data? Again, I assume not since the API routes are well known so returning 400 instead of 403 is not harmful, but I\u0027d like to double check that.\n\nAs an aside, we could answering these questions by converting `ENFORCER.enforce_call` calls to decorators and placing on the outermost scope, though idk how much work that is without some investigation.","commit_id":"696eb3768f907608a03b60418e78c9a1bdfe831b"},{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"93e6dfabaca50809655bd3e0c3e533c0ec48aa6f","unresolved":true,"context_lines":[{"line_number":98,"context_line":"            )"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"    @validation.response_body_schema(schema.get_response_body)"},{"line_number":101,"context_line":"    def get(self, project_id: str):"},{"line_number":102,"context_line":"        \"\"\"Get project."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"        GET/HEAD /v3/projects/{project_id}"}],"source_content_type":"text/x-python","patch_set":3,"id":"bbc5a782_d3bed226","line":101,"in_reply_to":"4d7e4d5e_d2211057","updated":"2024-07-03 14:33:55.000000000","message":"You are right and I was forced to deal with that in the tests already (previous change in the stack). I personally think it makes no sense to check whether user is allowed to do something before we can actually figure out what is that that the user wants (typically in Keystone it is clear, but in case of things like actions this is not the case). But the most weird stuff is feeding of filters into the policy evaluation before we actually even know whether the data passed is valid.\n\nSo yes, we have a behavior change. I can\u0027t imagine we can leak data by telling the user his input was not valid","commit_id":"696eb3768f907608a03b60418e78c9a1bdfe831b"},{"author":{"_account_id":27900,"name":"Artem Goncharov","email":"artem.goncharov@gmail.com","username":"gtema"},"change_message_id":"961c3369b8d566276d1fd4d5552726b50544d575","unresolved":true,"context_lines":[{"line_number":98,"context_line":"            )"},{"line_number":99,"context_line":""},{"line_number":100,"context_line":"    @validation.response_body_schema(schema.get_response_body)"},{"line_number":101,"context_line":"    def get(self, project_id: str):"},{"line_number":102,"context_line":"        \"\"\"Get project."},{"line_number":103,"context_line":""},{"line_number":104,"context_line":"        GET/HEAD /v3/projects/{project_id}"}],"source_content_type":"text/x-python","patch_set":3,"id":"24477219_6348db17","line":101,"in_reply_to":"bbc5a782_d3bed226","updated":"2024-07-03 14:46:27.000000000","message":"also I see other services are also doing first routing/validation and then privilege evaluation, so this would be more inline with the rest of OpenStack.\n\nAnyway, surely we need to check","commit_id":"696eb3768f907608a03b60418e78c9a1bdfe831b"}]}