From 3bd00ccb4f69108faeb79b4f9e17b5619031cf49 Mon Sep 17 00:00:00 2001
From: fmigneault <francis.charette.migneault@gmail.com>
Date: Sat, 10 Jul 2021 00:13:03 -0400
Subject: [PATCH] update changelog with perm fix security note + adjustment of
 error message (relates to #433)

---
 CHANGES.rst | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index ba7fcccb4..6dcb11e53 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -12,17 +12,22 @@ Features / Changes
 * Improve error reporting of ``MagpieAdapter`` when validating the *requested* ``Permission``. If the `Service`
   implementation raises an ``HTTP Bad Request [400]`` due to insufficient, invalid or missing parameters from
   the request to properly resolve the corresponding `Magpie` ``Permission``, more details about the cause will
-  be reported in the `Twitcher` response body. Also, code ``400`` is returned instead of ``500``.
+  be reported in the `Twitcher` response body. Also, code ``400`` is returned instead of ``500``
+  (relates to `#433 <https://github.com/Ouranosinc/Magpie/issues/433>`_).
 
 Bug Fixes
 ~~~~~~~~~~~~~~~~~~~~~
-* Fix an issue in ``MagpieAdapter`` when `Service` caching is enabled (in `Twitcher` INI configuration) that caused
-  implementations derived from ``ServiceOWS`` (WPS, WMS, WFS) to incorrectly retrieve and parse the cached request
-  parameters instead of the new ones from the incoming request.
-  Because ``ServiceOWS`` implementations employ request parameter ``request`` (in query or body based on HTTP method)
-  to infer their corresponding `Magpie` ``Permission`` (e.g.: ``GetCapabilities``, ``GetMap``, etc.), this produced
-  potential inconsistencies between the *requested* ``Permission`` that `Twitcher` was evaluating with `Magpie`, and
-  the *actual request* sent to the `Service` behind the proxy.
+* | Fix an issue in ``MagpieAdapter`` when `Service` caching is enabled (in `Twitcher` INI configuration) that caused
+    implementations derived from ``ServiceOWS`` (WPS, WMS, WFS) to incorrectly retrieve and parse the cached request
+    parameters instead of the new ones from the incoming request.
+  |
+  | **SECURITY**:
+  | Because ``ServiceOWS`` implementations employ request parameter ``request`` (in query or body based on HTTP method)
+    to infer their corresponding `Magpie` ``Permission`` (e.g.: ``GetCapabilities``, ``GetMap``, etc.), this produced
+    potential inconsistencies between the *requested* ``Permission`` that `Twitcher` was evaluating with `Magpie`, and
+    the *actual request* sent to the `Service` behind the proxy. Depending on the request order and cache expiration
+    times, this could lead to permissions incorrectly resolved for some requests, granting or rejecting wrong user
+    access to resources.
 
 `3.13.0 <https://github.com/Ouranosinc/Magpie/tree/3.13.0>`_ (2021-06-29)
 ------------------------------------------------------------------------------------