)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"8ba3b7845ddd690e820c7b7c0345df30bc08d686","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Cameron Kolodjski \u003ccdkolod@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2022-03-09 00:43:05 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Remove admin context check when getting all security services, update unit tests."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In manila/api/v1/security_service.py, the context.is_admin check is removed, allowing the subsequent policy check to determine whether the user can retrieve all security services. Authorization is determined by the RBAC policy \"security_services:get_all_security_services\" and checked in lines 112-113."},{"line_number":10,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"98ea54da_9ab72e93","line":7,"range":{"start_line":7,"start_character":0,"end_line":7,"end_character":81},"updated":"2022-03-10 14:05:00.000000000","message":"There are a few documentation items that can be useful while submitting code to OpenStack. And to try to make commit messages to have a pattern, the community usually follows a common guideline: https://wiki.openstack.org/wiki/GitCommitMessages\n\nSo according to this, the summary line should be wrapped at 50 characters.","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"fbc0307b6847ffcc6005681b9deed76778be3736","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Cameron Kolodjski \u003ccdkolod@gmail.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2022-03-09 00:43:05 +0000"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Remove admin context check when getting all security services, update unit tests."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In manila/api/v1/security_service.py, the context.is_admin check is removed, allowing the subsequent policy check to determine whether the user can retrieve all security services. Authorization is determined by the RBAC policy \"security_services:get_all_security_services\" and checked in lines 112-113."},{"line_number":10,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"8567afee_f479815d","line":7,"range":{"start_line":7,"start_character":0,"end_line":7,"end_character":81},"in_reply_to":"98ea54da_9ab72e93","updated":"2022-05-06 20:11:34.000000000","message":"Done","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"8ba3b7845ddd690e820c7b7c0345df30bc08d686","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Remove admin context check when getting all security services, update unit tests."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In manila/api/v1/security_service.py, the context.is_admin check is removed, allowing the subsequent policy check to determine whether the user can retrieve all security services. Authorization is determined by the RBAC policy \"security_services:get_all_security_services\" and checked in lines 112-113."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"In manila/tests/api/v1/test_security_service.py, unit tests for listing security services based on admin context were replaced with unit tests for listing security services based on whether the user is authorized or not."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The unit test test_security_services_list_all_tenants_policy_authorized asserts that the security services"},{"line_number":14,"context_line":" are retrieved when policy.check_policy returns True."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"The unit test test_security_services_list_all_tenants_policy_not_authorized asserts that security services are not retrieved when policy.check_policy raises a NotAuthorized exception."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6cce61237f5ee3ce60d8165f6fac5e7e5a63b4dd"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"387c21ef_9388795e","line":16,"range":{"start_line":9,"start_character":0,"end_line":16,"end_character":183},"updated":"2022-03-10 14:05:00.000000000","message":"There are a few documentation items that can be useful while submitting code to OpenStack. And to try to make commit messages to have a pattern, the community usually follows a common guideline: https://wiki.openstack.org/wiki/GitCommitMessages\n\nSo according to this, the commit message lines should be wrapped at 72 characters.\n\nCould you please make these modifications?","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"fbc0307b6847ffcc6005681b9deed76778be3736","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Remove admin context check when getting all security services, update unit tests."},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"In manila/api/v1/security_service.py, the context.is_admin check is removed, allowing the subsequent policy check to determine whether the user can retrieve all security services. Authorization is determined by the RBAC policy \"security_services:get_all_security_services\" and checked in lines 112-113."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"In manila/tests/api/v1/test_security_service.py, unit tests for listing security services based on admin context were replaced with unit tests for listing security services based on whether the user is authorized or not."},{"line_number":12,"context_line":""},{"line_number":13,"context_line":"The unit test test_security_services_list_all_tenants_policy_authorized asserts that the security services"},{"line_number":14,"context_line":" are retrieved when policy.check_policy returns True."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"The unit test test_security_services_list_all_tenants_policy_not_authorized asserts that security services are not retrieved when policy.check_policy raises a NotAuthorized exception."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6cce61237f5ee3ce60d8165f6fac5e7e5a63b4dd"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"4c118db7_1c20a6a4","line":16,"range":{"start_line":9,"start_character":0,"end_line":16,"end_character":183},"in_reply_to":"387c21ef_9388795e","updated":"2022-05-06 20:11:34.000000000","message":"Done","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"8ba3b7845ddd690e820c7b7c0345df30bc08d686","unresolved":true,"context_lines":[{"line_number":14,"context_line":" are retrieved when policy.check_policy returns True."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"The unit test test_security_services_list_all_tenants_policy_not_authorized asserts that security services are not retrieved when policy.check_policy raises a NotAuthorized exception."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6cce61237f5ee3ce60d8165f6fac5e7e5a63b4dd"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"f033d223_7a28d897","line":17,"updated":"2022-03-10 14:05:00.000000000","message":"Could you please add a Closes-Bug: #bug-number to this commit message?\nIt will help us to identify that this change is closing a specific bug, as well as trigger the integration bot to update the status of the bug automatically as soon as new updates are being pushed and to close the bug setting its status to closed when this change gets merged.\n\nPlease see the session \"Including external references\" in this documentation: https://wiki.openstack.org/wiki/GitCommitMessages for more details :)","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"fbc0307b6847ffcc6005681b9deed76778be3736","unresolved":false,"context_lines":[{"line_number":14,"context_line":" are retrieved when policy.check_policy returns True."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"The unit test test_security_services_list_all_tenants_policy_not_authorized asserts that security services are not retrieved when policy.check_policy raises a NotAuthorized exception."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6cce61237f5ee3ce60d8165f6fac5e7e5a63b4dd"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"31507e6f_36725ec9","line":17,"in_reply_to":"f033d223_7a28d897","updated":"2022-05-06 20:11:34.000000000","message":"Done","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"374e194106944a1fd8ae3818a7250142477199a9","unresolved":true,"context_lines":[{"line_number":9,"context_line":"In manila/api/v1/security_service.py, the context.is_admin check is"},{"line_number":10,"context_line":"removed, allowing the subsequent policy check to determine whether the"},{"line_number":11,"context_line":"user can retrieve all security services. Authorization is determined by"},{"line_number":12,"context_line":"the RBAC policy \"security_services:get_all_security_services\" and"},{"line_number":13,"context_line":"checked in lines 112-113."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"In manila/tests/api/v1/test_security_service.py, unit tests for listing"},{"line_number":16,"context_line":"security services based on admin context were replaced with unit tests"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"7a438d99_9553562d","line":13,"range":{"start_line":12,"start_character":62,"end_line":13,"end_character":25},"updated":"2022-05-06 20:04:26.000000000","message":"unnecessary","commit_id":"6ab8bd3d5f46280027cf81dd524b0e2df1228611"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"fbc0307b6847ffcc6005681b9deed76778be3736","unresolved":false,"context_lines":[{"line_number":9,"context_line":"In manila/api/v1/security_service.py, the context.is_admin check is"},{"line_number":10,"context_line":"removed, allowing the subsequent policy check to determine whether the"},{"line_number":11,"context_line":"user can retrieve all security services. Authorization is determined by"},{"line_number":12,"context_line":"the RBAC policy \"security_services:get_all_security_services\" and"},{"line_number":13,"context_line":"checked in lines 112-113."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"In manila/tests/api/v1/test_security_service.py, unit tests for listing"},{"line_number":16,"context_line":"security services based on admin context were replaced with unit tests"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"8d5c6538_a7b93cbc","line":13,"range":{"start_line":12,"start_character":62,"end_line":13,"end_character":25},"in_reply_to":"7a438d99_9553562d","updated":"2022-05-06 20:11:34.000000000","message":"Done","commit_id":"6ab8bd3d5f46280027cf81dd524b0e2df1228611"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"8ba3b7845ddd690e820c7b7c0345df30bc08d686","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b7561951_b16d3d28","updated":"2022-03-10 14:05:00.000000000","message":"Thank you for working on this change, Cameron!\nThat\u0027s a good fix! Added few comments for you, please check them inline.\nAlso, I\u0027d like you to please create a release note [1]. It is quite useful for fixes.\n\n[1] https://docs.openstack.org/manila/latest/contributor/adding_release_notes.html","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"182c5a0447b974c9457f5c5f8246c2985b25e0de","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b6c0ae9f_92dd105e","updated":"2022-03-09 04:43:25.000000000","message":"hi, Cameron Kolodjski.\nthanks for your change.\nHere are some of my thoughts","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"2f0472dd080036f0cd5881ac49b31524de7e41fe","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d01bca70_168bb692","updated":"2022-05-05 14:26:33.000000000","message":"recheck","commit_id":"50295f895e1a1e85d337234f617bf84f6f4d4232"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b037e45c3ee33f89574d01b682da11f149440ec3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"92d2c01b_5a6282b6","updated":"2022-05-06 13:20:00.000000000","message":"Thanks, a suggestion for improvement inline... We\u0027d need a release note for this change as well.. ","commit_id":"e323e89fa2a36dca0a2cccc71a864e5a982bdd1a"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"374e194106944a1fd8ae3818a7250142477199a9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"9e2140ff_6256386c","updated":"2022-05-06 20:04:26.000000000","message":"Thanks Cameron and Carlos; I feel like the reno could use an improvement; please see the comment inline","commit_id":"6ab8bd3d5f46280027cf81dd524b0e2df1228611"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"ba29ee943eda265f52da9295b5eedde5dfe3e4e0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"3be0673c_06dd9909","updated":"2022-05-06 20:13:02.000000000","message":"LGTM, thank you! ","commit_id":"59b9f7128160873615e10c23010f502fb2d1ac4f"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"05049af8f95a49f9238673dd662b59f0ba0546c6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"8a704863_79c9a65e","updated":"2022-05-06 20:11:47.000000000","message":"Thank you for the review, Goutham\nPlease check changes inline","commit_id":"59b9f7128160873615e10c23010f502fb2d1ac4f"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"66b09a176fd92352d4496898502a9826cdccdd80","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"969210be_6881c3a7","updated":"2022-05-06 20:21:53.000000000","message":"Edited the release note... Sorry for losing the vote :/\nBeing beyond the character limits bugs me :D","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"414dfde2fd58338bd44895a2aa9646bab3c44d88","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"5dd2a68a_554dead9","updated":"2022-06-21 18:57:24.000000000","message":"Hi, haixin! Thank you for reviewing.\nPlease check the answer inline","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"fa63da24682f028b0c9e38f25ef15e743059acd3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"3f52a9da_797047fb","updated":"2022-05-07 07:30:01.000000000","message":"LGTM, thank you for the changes Carlos","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":6413,"name":"Victoria Martinez de la Cruz","email":"victoria@redhat.com","username":"vkmc"},"change_message_id":"b3145d184b6f498f657a60d457d163f39fdc162a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"5a5fb2a1_43ca5526","updated":"2022-07-15 11:27:55.000000000","message":"LGTM, thanks","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"300cb10e01fb79f561dec07d430fa591aea9e4ee","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"9b1ebe8b_cd9ca2a1","updated":"2022-05-07 08:36:56.000000000","message":"hi, Carlos.\nhere is my comment inline.\nwhat do you think?","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"daa3ca38b0b4dbeff67d696431d6cdc94a3a786e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"531a6416_2e00b49c","updated":"2022-05-06 20:21:10.000000000","message":"recheck","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"826e5480e00e6154f2dd04afc8f4ea22d80579c8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"9d6950a7_1692982e","updated":"2022-07-15 02:42:00.000000000","message":"thanks, Carlos Eduardo.","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"}],"manila/api/v1/security_service.py":[{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"182c5a0447b974c9457f5c5f8246c2985b25e0de","unresolved":true,"context_lines":[{"line_number":108,"context_line":"            security_services \u003d share_nw[\u0027security_services\u0027]"},{"line_number":109,"context_line":"            del search_opts[\u0027share_network_id\u0027]"},{"line_number":110,"context_line":"        else:"},{"line_number":111,"context_line":"            if utils.is_all_tenants(search_opts):"},{"line_number":112,"context_line":"                policy.check_policy(context, RESOURCE_NAME,"},{"line_number":113,"context_line":"                                    \u0027get_all_security_services\u0027)"},{"line_number":114,"context_line":"                security_services \u003d db.security_service_get_all(context)"}],"source_content_type":"text/x-python","patch_set":2,"id":"348533b2_9071e3ac","line":111,"range":{"start_line":111,"start_character":12,"end_line":111,"end_character":49},"updated":"2022-03-09 04:43:25.000000000","message":"After removing this check, context.is_admin is False and all_tenants is True.\nwill then check policy and got error. We don\u0027t have to throw an error here.\ni think if not admin user, we can just filter by context.project directly.\n\nHere, I think of another situation, if context is admin, and specified project_id,\nproject_id !\u003d context.project. here missed this situation.\n\nI think you can refer to share_networks\u0027 query method here.\nmanila/api/v2/share_networks.py #168-177","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"b037e45c3ee33f89574d01b682da11f149440ec3","unresolved":true,"context_lines":[{"line_number":108,"context_line":"            security_services \u003d share_nw[\u0027security_services\u0027]"},{"line_number":109,"context_line":"            del search_opts[\u0027share_network_id\u0027]"},{"line_number":110,"context_line":"        else:"},{"line_number":111,"context_line":"            if utils.is_all_tenants(search_opts):"},{"line_number":112,"context_line":"                policy.check_policy(context, RESOURCE_NAME,"},{"line_number":113,"context_line":"                                    \u0027get_all_security_services\u0027)"},{"line_number":114,"context_line":"                security_services \u003d db.security_service_get_all(context)"}],"source_content_type":"text/x-python","patch_set":2,"id":"58023f5a_62a082c4","line":111,"range":{"start_line":111,"start_character":12,"end_line":111,"end_character":49},"in_reply_to":"348533b2_9071e3ac","updated":"2022-05-06 13:20:00.000000000","message":"hmmm, okay, so for consistency you suggest ignoring the \"all_tenants\" query if the requester isn\u0027t authorized to use it.. that does sound like a good approach because we don\u0027t perform strict query validations elsewhere.\n\nSo we\u0027d do:\n\n        # ignore all_tenants if not authorized to use it.\n        security_services \u003d None\n        if utils.is_all_tenants(search_opts):\n           allowed_to_list_all_tenants \u003d policy.check_policy(\n              context, RESOURCE_NAME, \u0027get_all_security_services\u0027, do_raise\u003dFalse)\n           if allowed_to_list_all_tenants:\n               security_services \u003d db.security_service_get_all(context)\n        if security_services is None:\n            security_services \u003d db.security_service_get_all_by_project(\n                    context, context.project_id)","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"0d39eb3efec7280ea3675458ec3c16aa7e262a0a","unresolved":false,"context_lines":[{"line_number":108,"context_line":"            security_services \u003d share_nw[\u0027security_services\u0027]"},{"line_number":109,"context_line":"            del search_opts[\u0027share_network_id\u0027]"},{"line_number":110,"context_line":"        else:"},{"line_number":111,"context_line":"            if utils.is_all_tenants(search_opts):"},{"line_number":112,"context_line":"                policy.check_policy(context, RESOURCE_NAME,"},{"line_number":113,"context_line":"                                    \u0027get_all_security_services\u0027)"},{"line_number":114,"context_line":"                security_services \u003d db.security_service_get_all(context)"}],"source_content_type":"text/x-python","patch_set":2,"id":"35e567f7_5242fd7d","line":111,"range":{"start_line":111,"start_character":12,"end_line":111,"end_character":49},"in_reply_to":"58023f5a_62a082c4","updated":"2022-05-06 17:28:01.000000000","message":"Done","commit_id":"a1a7820a69624b28d5886d154968dfe8809b8250"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"300cb10e01fb79f561dec07d430fa591aea9e4ee","unresolved":true,"context_lines":[{"line_number":107,"context_line":"                                            search_opts[\u0027share_network_id\u0027])"},{"line_number":108,"context_line":"            security_services \u003d share_nw[\u0027security_services\u0027]"},{"line_number":109,"context_line":"            del search_opts[\u0027share_network_id\u0027]"},{"line_number":110,"context_line":"        else:"},{"line_number":111,"context_line":"            # ignore all_tenants if not authorized to use it."},{"line_number":112,"context_line":"            security_services \u003d None"},{"line_number":113,"context_line":"            if utils.is_all_tenants(search_opts):"}],"source_content_type":"text/x-python","patch_set":7,"id":"39e68b3e_ec32a15e","line":110,"range":{"start_line":110,"start_character":8,"end_line":110,"end_character":13},"updated":"2022-05-07 08:36:56.000000000","message":"I think we\u0027re missing one scenario, context.is_admin is True, and \u0027project_id\u0027 in search_opts. that admin user just want to security_services in project A.\nso i think the code should be:\n\n        if \u0027share_network_id\u0027 in search_opts:\n            share_nw \u003d db.share_network_get(context,\n                                            search_opts[\u0027share_network_id\u0027])\n            security_services \u003d share_nw[\u0027security_services\u0027]\n            del search_opts[\u0027share_network_id\u0027]\n        else:\n            # only admin can query other project.\n            # ignore all_tenants if not authorized to use it.\n            security_services \u003d None\n            if \u0027project_id\u0027 in search_opts:\n                if context.is_admin:\n                    security_services \u003d db.security_service_get_all_by_project(\n                        context, search_opts[\u0027project_id\u0027])\n            elif utils.is_all_tenants(search_opts):\n                allowed_to_list_all_tenants \u003d policy.check_policy(\n                    context, RESOURCE_NAME, \u0027get_all_security_services\u0027,\n                    do_raise\u003dFalse)\n                if allowed_to_list_all_tenants:\n                    security_services \u003d db.security_service_get_all(context)\n            if security_services is None:\n                security_services \u003d db.security_service_get_all_by_project(\n                    context, context.project_id)\n        search_opts.pop(\u0027project_id\u0027, None)\n        search_opts.pop(\u0027all_tenants\u0027, None)\n        common.remove_invalid_options(...........................","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"414dfde2fd58338bd44895a2aa9646bab3c44d88","unresolved":false,"context_lines":[{"line_number":107,"context_line":"                                            search_opts[\u0027share_network_id\u0027])"},{"line_number":108,"context_line":"            security_services \u003d share_nw[\u0027security_services\u0027]"},{"line_number":109,"context_line":"            del search_opts[\u0027share_network_id\u0027]"},{"line_number":110,"context_line":"        else:"},{"line_number":111,"context_line":"            # ignore all_tenants if not authorized to use it."},{"line_number":112,"context_line":"            security_services \u003d None"},{"line_number":113,"context_line":"            if utils.is_all_tenants(search_opts):"}],"source_content_type":"text/x-python","patch_set":7,"id":"eb67094a_0d4d62a2","line":110,"range":{"start_line":110,"start_character":8,"end_line":110,"end_character":13},"in_reply_to":"39e68b3e_ec32a15e","updated":"2022-06-21 18:57:24.000000000","message":"hmm, thanks for bringing this up, I think this scenario won\u0027t exist... We currently do not allow security services to be filtered by project_id. The API ref [1] mentions it but it is in the request path, not the body. Project_id is also not one of the filters we allow in python-manilaclient [2], and the search opts for security services [3] also does not mention it :)\n\n[1] https://docs.openstack.org/api-ref/shared-file-system/?expanded\u003dlist-security-services-detail#list-security-services\n[2] https://github.com/openstack/python-manilaclient/blob/master/manilaclient/v2/shell.py#L4227-L4312\n[3] https://github.com/openstack/manila/blob/14d3e268a05265db53b5cfd19d9a85a3ba73a271/manila/api/v1/security_service.py#L146-L148","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"},{"author":{"_account_id":30407,"name":"haixin","email":"haixin_haixin@qq.com","username":"haixin"},"change_message_id":"826e5480e00e6154f2dd04afc8f4ea22d80579c8","unresolved":false,"context_lines":[{"line_number":107,"context_line":"                                            search_opts[\u0027share_network_id\u0027])"},{"line_number":108,"context_line":"            security_services \u003d share_nw[\u0027security_services\u0027]"},{"line_number":109,"context_line":"            del search_opts[\u0027share_network_id\u0027]"},{"line_number":110,"context_line":"        else:"},{"line_number":111,"context_line":"            # ignore all_tenants if not authorized to use it."},{"line_number":112,"context_line":"            security_services \u003d None"},{"line_number":113,"context_line":"            if utils.is_all_tenants(search_opts):"}],"source_content_type":"text/x-python","patch_set":7,"id":"684b30e1_9760a52c","line":110,"range":{"start_line":110,"start_character":8,"end_line":110,"end_character":13},"in_reply_to":"eb67094a_0d4d62a2","updated":"2022-07-15 02:42:00.000000000","message":"ack, i missed this point.","commit_id":"3fb9b981b08a049466586feaf9ef011a5883d38f"}],"releasenotes/notes/bug-1916102-fix-security-service-policy-check-8e72254fa9fedc9e.yaml":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"374e194106944a1fd8ae3818a7250142477199a9","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixed an issue that allowed less-privileged users to see security services"},{"line_number":5,"context_line":"    not related to their projects. Now only more privileged users on the"},{"line_number":6,"context_line":"    system will be able to query security services from different projects."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"c3563c54_0cf9239b","line":6,"range":{"start_line":4,"start_character":4,"end_line":6,"end_character":75},"updated":"2022-05-06 20:04:26.000000000","message":"I am confused by the wording here.. perhaps:\n\n Decoupled the RBAC ``share:get_all_security_services`` from ``context_is_admin``,\n potentially allowing the use of the ``all_tenants`` query by non-administrators.","commit_id":"6ab8bd3d5f46280027cf81dd524b0e2df1228611"},{"author":{"_account_id":29632,"name":"Carlos Eduardo","email":"ces.eduardo98@gmail.com","username":"silvacarlos"},"change_message_id":"fbc0307b6847ffcc6005681b9deed76778be3736","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"fixes:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    Fixed an issue that allowed less-privileged users to see security services"},{"line_number":5,"context_line":"    not related to their projects. Now only more privileged users on the"},{"line_number":6,"context_line":"    system will be able to query security services from different projects."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"29e2f801_9143ea57","line":6,"range":{"start_line":4,"start_character":4,"end_line":6,"end_character":75},"in_reply_to":"c3563c54_0cf9239b","updated":"2022-05-06 20:11:34.000000000","message":"Done","commit_id":"6ab8bd3d5f46280027cf81dd524b0e2df1228611"}]}