Reviewed: https://review.openstack.org/203958 Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=b5b39becc0bc5f4cc2d59968930a4ea75a0b072d Submitter: Jenkins Branch: master commit b5b39becc0bc5f4cc2d59968930a4ea75a0b072d Author: leizhang <lei.a.zhang at intel.com> Date: Tue Jul 21 15:11:46 2015 +0800 Check tenant id during abandoning of an env Add code to check whether current tenant matches the env's tentant Change-Id: Ia6c291261de8951dc779394b993e646ed0c0a9d9 Closes-Bug: #1464219 SecurityImpact ** Changed in: murano Status: In Progress => Fix Committed -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1464219 Title: [api] there are no checks of request tenant_id during abandoning of an environment Status in murano: Fix Committed Bug description: Looks like the code currently does not check, that a given env belongs to current requests tenant. Therefore it might be possible for users from different tenants to delete/deploy environments. To manage notifications about this bug go to: https://bugs.launchpad.net/murano/+bug/1464219/+subscriptions