patrick-austin
commented
4 years ago Added a new permission check when using rule_id that passes if the issuer has the same VO as the rule (as the scope of the rule). This prevents root at one VO being able to (among other things) delete rules from another VO (even though this is unlikely as they would need to somehow get the rule_id from the other VO). This permission is separate from existing permission checks on rules (i.e. one must pass both access_rule and del_rule before deleting a rule).
Have added a test case for ensuring that deletion cannot occur in the example above.
Some calls to replication rules are available through the API via an ID. Change the id to external specifier as we work within one VO. Check VO is correct at the permissions level (based on the calling account). Avoid returning VOs outside this VO.
list_scopes should be filtered out on return, limiting to just scopes within the relevant VO.