X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/a233e191c363c40d4a5c4b68da23dd627b4906c6..refs/heads/dev:/code/validation.py diff --git a/code/validation.py b/code/validation.py index 5018ca3..d288a69 100755 --- a/code/validation.py +++ b/code/validation.py @@ -209,8 +209,7 @@ def testMachineId(user, state, machine_id, exists=True): def testAdmin(user, admin, machine): """Determine whether a user can set the admin of a machine to this value. - Return the value to set the admin field to (possibly 'system:' + - admin). XXX is modifying this a good idea? + Return the value to set the admin field to (possibly 'system:' + admin). """ if admin is None: return None @@ -218,20 +217,17 @@ def testAdmin(user, admin, machine): return admin if admin == user: return admin + # we do not require that the user be in the admin group; + # just that it is a non-empty set + if authz.expandAdmin(admin): + return admin if ':' not in admin: - if cache_acls.isUser(admin): - return admin - admin = 'system:' + admin - try: - if user in getafsgroups.getAfsGroupMembers(admin, config.authz.afs.cells[0].cell): - return admin - except getafsgroups.AfsProcessError, e: - errmsg = str(e) - if errmsg.startswith("pts: User or group doesn't exist"): - errmsg = 'The group "%s" does not exist.' % admin - raise InvalidInput('administrator', admin, errmsg) - #XXX Should we require that user is in the admin group? - return admin + if authz.expandAdmin('system:' + admin): + return 'system:' + admin + errmsg = 'No user "%s" or non-empty group "system:%s" found.' % (admin, admin) + else: + errmsg = 'No non-empty group "%s" found.' % (admin,) + raise InvalidInput('administrator', admin, errmsg) def testOwner(user, owner, machine=None): """Determine whether a user can set the owner of a machine to this value.