-
Georgios D. Tsoukalas authored
Callpoint class had a placeholder attribute original_calls which was initialized as an empty dictionary, and thus was usable. Class __init__() code did not initialize original_calls as it should but because the placeholder was usable it did not break. Alas, the placeholder is global to all subclasses and their instances and one instance leaked attributes and functionality to the other. This caused the kamaki quotaholder client to be hijacked and directly call the backend, which was available on the same system/gunicorn deployment in our tests. The backend was directly called from an astakos view that had no transaction active (i.e. was on auto-commit). Normally, the backend would be called from the quotaholder_app view, which explicitly sets up a transaction.
30a44929