From: Eric Price <ecprice@mit.edu>
Date: Mon, 14 Apr 2008 04:01:30 +0000 (-0400)
Subject: Fix the bug jbarnold reported, where the real-time access control didn't match the... 
X-Git-Tag: sipb-xen-www/3.4~53
X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/289f1313e45320efc6775caefa0cea71caacb10c?ds=inline;hp=94b47c9d6a68a77ac7e5da91562261bebed0c053

Fix the bug jbarnold reported, where the real-time access control didn't match the cached version.

svn path=/trunk/packages/sipb-xen-www/; revision=411
---

diff --git a/code/validation.py b/code/validation.py
index fd2b979..9189764 100644
--- a/code/validation.py
+++ b/code/validation.py
@@ -1,5 +1,6 @@
 #!/usr/bin/python
 
+import cache_acls
 import getafsgroups
 import re
 import string
@@ -71,18 +72,11 @@ def validAddVm(user):
 
 def haveAccess(user, machine):
     """Return whether a user has administrative access to a machine"""
-    if user in (machine.administrator, machine.owner):
-        return True
-    if getafsgroups.checkAfsGroup(user, machine.administrator, 
-                                  'athena.mit.edu'): #XXX Cell?
-        return True
-    if not getafsgroups.notLockerOwner(user, machine.owner):
-        return True
-    return owns(user, machine)
+    return user in cache_acls.accessList(machine)
 
 def owns(user, machine):
     """Return whether a user owns a machine"""
-    return not getafsgroups.notLockerOwner(user, machine.owner)
+    return user in expandLocker(machine.owner)
 
 def validMachineName(name):
     """Check that name is valid for a machine name"""
@@ -151,26 +145,40 @@ def testMachineId(user, machine_id, exists=True):
     return machine
 
 def testAdmin(user, admin, machine):
+    """Determine whether a user can set the admin of a machine to this value.
+
+    Return the value to set the admin field to (possibly 'system:' +
+    admin).  XXX is modifying this a good idea?
+    """
     if admin in (None, machine.administrator):
         return None
     if admin == user:
         return admin
+    if ':' not in admin:
+        if cache_acls.isUser(admin):
+            return admin
+        admin = 'system:' + admin
     if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'):
         return admin
-    if getafsgroups.checkAfsGroup(user, 'system:'+admin,
-                                  'athena.mit.edu'):
-        return 'system:'+admin
+    #XXX Should we require that user is in cache_acls.expandName(admin)?
     return admin
     
 def testOwner(user, owner, machine=None):
+    """Determine whether a user can set the owner of a machine to this value.
+
+    If machine is None, this is the owner of a new machine.
+    """
     if owner == user or machine is not None and owner == machine.owner:
         return owner
     if owner is None:
         raise InvalidInput('owner', owner, "Owner must be specified")
-    value = getafsgroups.notLockerOwner(user, owner)
-    if not value:
-        return owner
-    raise InvalidInput('owner', owner, value)
+    try:
+        if user not in cache_acls.expandLocker(owner):
+            raise InvalidInput('owner', owner, 'You do not have access to the '
+                               + owner + ' locker')
+    except getafsgroups.AfsProcessError, e:
+        raise InvalidInput('owner', owner, str(e))
+    return owner
 
 def testContact(user, contact, machine=None):
     if contact in (None, machine.contact):