Authorization check performed after reading the document

[stoyanr]

Currently, in order to perform authorization checks, the relevant document is first read from the database, and only then the passed OAuth scopes are compared to the required OAuth scopes. This is because in order to build the required scopes a resource_id is needed, but it is usually not part of the request, but part of the document.

This is not ok, as one could try a DOS attack against Abacus using an invalid token. Instead, it should be possible to retrieve the resource_id from the account plugin (there it's usually cached), perform the authorization check, and only if successful proceed with retrieving the document.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/140227121

The labels on this github issue will be updated when the story is started.

[hsiliev]

We have the same pattern in dataflow: https://github.com/cloudfoundry-incubator/cf-abacus/blob/master/lib/utils/dataflow/src/index.js#L672-L681

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/141805991

The labels on this github issue will be updated when the story is started.