From: Anna Sortland <annasort@us.ibm.com>
Date: Thu, 27 Aug 2015 20:36:11 +0000 (-0500)
Subject: Earlier authority check for create volume API
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=7686777023b6703230850280be895c154ef8f07d;p=openstack-build%2Fcinder-build.git

Earlier authority check for create volume API

create() API in cinder/volume/api.py does the authority check
in cinder/volume/flows/api/create_volume.py.
This creates potential for disclosing information during error checking
prior to user authorization being checked.
This fix will do authority check to create() itself, so that
it is done before proceeding with the rest of code flow.

Change-Id: I27dbdf5f3ae4e3d681cdbf77df10706721254ffc
Closes-Bug: #1472031
---

diff --git a/cinder/volume/api.py b/cinder/volume/api.py
index d247a991d..3c14f899f 100644
--- a/cinder/volume/api.py
+++ b/cinder/volume/api.py
@@ -192,6 +192,8 @@ class API(base.Base):
                source_replica=None, consistencygroup=None,
                cgsnapshot=None, multiattach=False, source_cg=None):
 
+        check_policy(context, 'create')
+
         # NOTE(jdg): we can have a create without size if we're
         # doing a create from snap or volume.  Currently
         # the taskflow api will handle this and pull in the