Fix admin can not delete other user's secrets

Change-Id: I1f996cc50c2b4667c18d495b4ca422a40e594cff
2020-05-18 10:58:17 +08:00 · 2020-05-18 10:58:17 +08:00 · b0ec7edf1d
commit b0ec7edf1d
parent 1ad4359735
2 changed files with 12 additions and 0 deletions
--- a/barbican/api/controllers/secrets.py
+++ b/barbican/api/controllers/secrets.py
@ -260,6 +260,12 @@ class SecretController(controllers.ACLMixin):
            self.secret.id,
            suppress_exception=True
        )
+
+        # With ACL support, the user token project does not have to be same as
+        # project associated with secret. The lookup project_id needs to be
+        # derived from the secret's data considering authorization is already
+        # done.
+        external_project_id = self.secret.project.external_id
        plugin.delete_secret(self.secret, external_project_id)
        LOG.info('Deleted secret for project: %s', external_project_id)

--- a/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml
+++ b/releasenotes/notes/fix-story-2006978-aa5f2r9cqpfa0tm8.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Fixed Story #2006978:  An admin user now can delete other users secrets
+    by adjust the policy file.
+