Earlier authority check for create volume API

create() API in cinder/volume/api.py does the authority check
in cinder/volume/flows/api/create_volume.py.
This creates potential for disclosing information during error checking
prior to user authorization being checked.
This fix will do authority check to create() itself, so that
it is done before proceeding with the rest of code flow.

Change-Id: I27dbdf5f3ae4e3d681cdbf77df10706721254ffc
Closes-Bug: #1472031

diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index d247a991d54b54247d1549e4b12fc368ac0b6d5f..3c14f899fbbc155366afdcd5f70509fa5ec4f65e 100644 (file)
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -192,6 +192,8 @@ class API(base.Base):
                source_replica=None, consistencygroup=None,
                cgsnapshot=None, multiattach=False, source_cg=None):
 
+        check_policy(context, 'create')
+
         # NOTE(jdg): we can have a create without size if we're
         # doing a create from snap or volume.  Currently
         # the taskflow api will handle this and pull in the