I have logged below bug to enforce 'content-type' check before RBAC enforcement on POST requests, but seems we have difference in opinion.
https://bugs.launchpad.net/barbican/+bug/1347101 Please look at the above bug and share your thoughts. "IMO" - "content-type" enforcement is concern of REST subsystem (Pecan in this case) and RBAC is the applications concern. Application resides a level below REST subsystem, so these checks and response should also follow this notion. RBAC enforcement should be done only after all the necessary checks related REST aspect has been performed. This way we can save costly RBAC validation, at the same time returning a legitimate "unauthorized" response for a request with bad "content type" does not makes sense. Thanks, Arvind
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev