X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/blobdiff_plain/e37dd15bbf8683bab8454ea0eec8e9968ce982b2..c8c25d005cebfe1189f3ae69ab1440a236490eca:/code/validation.py diff --git a/code/validation.py b/code/validation.py index fd2b979..4886638 100644 --- a/code/validation.py +++ b/code/validation.py @@ -1,5 +1,6 @@ #!/usr/bin/python +import cache_acls import getafsgroups import re import string @@ -71,18 +72,11 @@ def validAddVm(user): def haveAccess(user, machine): """Return whether a user has administrative access to a machine""" - if user in (machine.administrator, machine.owner): - return True - if getafsgroups.checkAfsGroup(user, machine.administrator, - 'athena.mit.edu'): #XXX Cell? - return True - if not getafsgroups.notLockerOwner(user, machine.owner): - return True - return owns(user, machine) + return user in cache_acls.accessList(machine) def owns(user, machine): """Return whether a user owns a machine""" - return not getafsgroups.notLockerOwner(user, machine.owner) + return user in expandLocker(machine.owner) def validMachineName(name): """Check that name is valid for a machine name""" @@ -151,26 +145,43 @@ def testMachineId(user, machine_id, exists=True): return machine def testAdmin(user, admin, machine): + """Determine whether a user can set the admin of a machine to this value. + + Return the value to set the admin field to (possibly 'system:' + + admin). XXX is modifying this a good idea? + """ if admin in (None, machine.administrator): return None if admin == user: return admin - if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'): - return admin - if getafsgroups.checkAfsGroup(user, 'system:'+admin, - 'athena.mit.edu'): - return 'system:'+admin + if ':' not in admin: + if cache_acls.isUser(admin): + return admin + admin = 'system:' + admin + try: + if user in getafsgroups.getAfsGroupMembers(admin, 'athena.mit.edu'): + return admin + except getafsgroups.AfsProcessError, e: + raise InvalidInput('administrator', admin, str(e)) + #XXX Should we require that user is in the admin group? return admin def testOwner(user, owner, machine=None): + """Determine whether a user can set the owner of a machine to this value. + + If machine is None, this is the owner of a new machine. + """ if owner == user or machine is not None and owner == machine.owner: return owner if owner is None: raise InvalidInput('owner', owner, "Owner must be specified") - value = getafsgroups.notLockerOwner(user, owner) - if not value: - return owner - raise InvalidInput('owner', owner, value) + try: + if user not in cache_acls.expandLocker(owner): + raise InvalidInput('owner', owner, 'You do not have access to the ' + + owner + ' locker') + except getafsgroups.AfsProcessError, e: + raise InvalidInput('owner', owner, str(e)) + return owner def testContact(user, contact, machine=None): if contact in (None, machine.contact):