update changelog with perm fix security note + adjustment of error me…

…ssage (relates to #433)
Ouranosinc · Jul 10, 2021 · 3bd00cc · 3bd00cc
1 parent e71369c
commit 3bd00cc
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -12,17 +12,22 @@ Features / Changes
 * Improve error reporting of ``MagpieAdapter`` when validating the *requested* ``Permission``. If the `Service`
   implementation raises an ``HTTP Bad Request [400]`` due to insufficient, invalid or missing parameters from
   the request to properly resolve the corresponding `Magpie` ``Permission``, more details about the cause will
-  be reported in the `Twitcher` response body. Also, code ``400`` is returned instead of ``500``.
+  be reported in the `Twitcher` response body. Also, code ``400`` is returned instead of ``500``
+  (relates to `#433 <https://github.com/Ouranosinc/Magpie/issues/433>`_).
 
 Bug Fixes
 ~~~~~~~~~~~~~~~~~~~~~
-* Fix an issue in ``MagpieAdapter`` when `Service` caching is enabled (in `Twitcher` INI configuration) that caused
-  implementations derived from ``ServiceOWS`` (WPS, WMS, WFS) to incorrectly retrieve and parse the cached request
-  parameters instead of the new ones from the incoming request.
-  Because ``ServiceOWS`` implementations employ request parameter ``request`` (in query or body based on HTTP method)
-  to infer their corresponding `Magpie` ``Permission`` (e.g.: ``GetCapabilities``, ``GetMap``, etc.), this produced
-  potential inconsistencies between the *requested* ``Permission`` that `Twitcher` was evaluating with `Magpie`, and
-  the *actual request* sent to the `Service` behind the proxy.
+* | Fix an issue in ``MagpieAdapter`` when `Service` caching is enabled (in `Twitcher` INI configuration) that caused
+    implementations derived from ``ServiceOWS`` (WPS, WMS, WFS) to incorrectly retrieve and parse the cached request
+    parameters instead of the new ones from the incoming request.
+  |
+  | **SECURITY**:
+  | Because ``ServiceOWS`` implementations employ request parameter ``request`` (in query or body based on HTTP method)
+    to infer their corresponding `Magpie` ``Permission`` (e.g.: ``GetCapabilities``, ``GetMap``, etc.), this produced
+    potential inconsistencies between the *requested* ``Permission`` that `Twitcher` was evaluating with `Magpie`, and
+    the *actual request* sent to the `Service` behind the proxy. Depending on the request order and cache expiration
+    times, this could lead to permissions incorrectly resolved for some requests, granting or rejecting wrong user
+    access to resources.
 
 `3.13.0 <https://github.com/Ouranosinc/Magpie/tree/3.13.0>`_ (2021-06-29)
 ------------------------------------------------------------------------------------