sipb-xen-dev@ -> sipb-xen@

[invirt/packages/invirt-web.git] / code / validation.py

diff --git a/code/validation.py b/code/validation.py
index fd2b979..4886638 100644 (file)
--- a/code/validation.py
+++ b/code/validation.py
@@ -1,5 +1,6 @@
 #!/usr/bin/python
 
 #!/usr/bin/python
 

+import cache_acls

 import getafsgroups
 import re
 import string
 import getafsgroups
 import re
 import string

@@ -71,18 +72,11 @@ def validAddVm(user):
 
 def haveAccess(user, machine):
     """Return whether a user has administrative access to a machine"""
 
 def haveAccess(user, machine):
     """Return whether a user has administrative access to a machine"""

-    if user in (machine.administrator, machine.owner):
-        return True
-    if getafsgroups.checkAfsGroup(user, machine.administrator, 
-                                  'athena.mit.edu'): #XXX Cell?
-        return True
-    if not getafsgroups.notLockerOwner(user, machine.owner):
-        return True
-    return owns(user, machine)
+    return user in cache_acls.accessList(machine)

 
 def owns(user, machine):
     """Return whether a user owns a machine"""
 
 def owns(user, machine):
     """Return whether a user owns a machine"""

-    return not getafsgroups.notLockerOwner(user, machine.owner)
+    return user in expandLocker(machine.owner)

 
 def validMachineName(name):
     """Check that name is valid for a machine name"""
 
 def validMachineName(name):
     """Check that name is valid for a machine name"""

@@ -151,26 +145,43 @@ def testMachineId(user, machine_id, exists=True):
     return machine
 
 def testAdmin(user, admin, machine):
     return machine
 
 def testAdmin(user, admin, machine):

+    """Determine whether a user can set the admin of a machine to this value.
+
+    Return the value to set the admin field to (possibly 'system:' +
+    admin).  XXX is modifying this a good idea?
+    """

     if admin in (None, machine.administrator):
         return None
     if admin == user:
         return admin
     if admin in (None, machine.administrator):
         return None
     if admin == user:
         return admin

-    if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'):
-        return admin
-    if getafsgroups.checkAfsGroup(user, 'system:'+admin,
-                                  'athena.mit.edu'):
-        return 'system:'+admin
+    if ':' not in admin:
+        if cache_acls.isUser(admin):
+            return admin
+        admin = 'system:' + admin
+    try:
+        if user in getafsgroups.getAfsGroupMembers(admin, 'athena.mit.edu'):
+            return admin
+    except getafsgroups.AfsProcessError, e:
+        raise InvalidInput('administrator', admin, str(e))
+    #XXX Should we require that user is in the admin group?

     return admin
     
 def testOwner(user, owner, machine=None):
     return admin
     
 def testOwner(user, owner, machine=None):

+    """Determine whether a user can set the owner of a machine to this value.
+
+    If machine is None, this is the owner of a new machine.
+    """

     if owner == user or machine is not None and owner == machine.owner:
         return owner
     if owner is None:
         raise InvalidInput('owner', owner, "Owner must be specified")
     if owner == user or machine is not None and owner == machine.owner:
         return owner
     if owner is None:
         raise InvalidInput('owner', owner, "Owner must be specified")

-    value = getafsgroups.notLockerOwner(user, owner)
-    if not value:
-        return owner
-    raise InvalidInput('owner', owner, value)
+    try:
+        if user not in cache_acls.expandLocker(owner):
+            raise InvalidInput('owner', owner, 'You do not have access to the '
+                               + owner + ' locker')
+    except getafsgroups.AfsProcessError, e:
+        raise InvalidInput('owner', owner, str(e))
+    return owner

 
 def testContact(user, contact, machine=None):
     if contact in (None, machine.contact):
 
 def testContact(user, contact, machine=None):
     if contact in (None, machine.contact):