patrick-austin
commented
4 years ago parse_rse_expression now directly uses VO, and is usually passed by the API using filters. In some cases where we don't call it from the API, we get the VO from accounts, scopes etc. Have removed places where we added (and removed) the VO from the rse_expression string.
C3PO daemon was deemed to be unused at the meeting on the 30/04/2020, so this was not updated to the new way of using VO (but the old methods were removed).
Motivation
Our current method of handling RSE expressions at the API layer is vulnerable to injection (that could, for example, reveal RSEs from other VOs).
Modification
Pass the VO through to key core functions such as
parse_rse_expression, and use this VO to filter RSEs returned from database queries.Then, update tests that pass an rse_expression directly to the core accordingly.