From: Eric Price Date: Mon, 14 Apr 2008 04:01:30 +0000 (-0400) Subject: Fix the bug jbarnold reported, where the real-time access control didn't match the... X-Git-Tag: sipb-xen-www/3.4~53 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/289f1313e45320efc6775caefa0cea71caacb10c?ds=inline;hp=94b47c9d6a68a77ac7e5da91562261bebed0c053 Fix the bug jbarnold reported, where the real-time access control didn't match the cached version. svn path=/trunk/packages/sipb-xen-www/; revision=411 --- diff --git a/code/validation.py b/code/validation.py index fd2b979..9189764 100644 --- a/code/validation.py +++ b/code/validation.py @@ -1,5 +1,6 @@ #!/usr/bin/python +import cache_acls import getafsgroups import re import string @@ -71,18 +72,11 @@ def validAddVm(user): def haveAccess(user, machine): """Return whether a user has administrative access to a machine""" - if user in (machine.administrator, machine.owner): - return True - if getafsgroups.checkAfsGroup(user, machine.administrator, - 'athena.mit.edu'): #XXX Cell? - return True - if not getafsgroups.notLockerOwner(user, machine.owner): - return True - return owns(user, machine) + return user in cache_acls.accessList(machine) def owns(user, machine): """Return whether a user owns a machine""" - return not getafsgroups.notLockerOwner(user, machine.owner) + return user in expandLocker(machine.owner) def validMachineName(name): """Check that name is valid for a machine name""" @@ -151,26 +145,40 @@ def testMachineId(user, machine_id, exists=True): return machine def testAdmin(user, admin, machine): + """Determine whether a user can set the admin of a machine to this value. + + Return the value to set the admin field to (possibly 'system:' + + admin). XXX is modifying this a good idea? + """ if admin in (None, machine.administrator): return None if admin == user: return admin + if ':' not in admin: + if cache_acls.isUser(admin): + return admin + admin = 'system:' + admin if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'): return admin - if getafsgroups.checkAfsGroup(user, 'system:'+admin, - 'athena.mit.edu'): - return 'system:'+admin + #XXX Should we require that user is in cache_acls.expandName(admin)? return admin def testOwner(user, owner, machine=None): + """Determine whether a user can set the owner of a machine to this value. + + If machine is None, this is the owner of a new machine. + """ if owner == user or machine is not None and owner == machine.owner: return owner if owner is None: raise InvalidInput('owner', owner, "Owner must be specified") - value = getafsgroups.notLockerOwner(user, owner) - if not value: - return owner - raise InvalidInput('owner', owner, value) + try: + if user not in cache_acls.expandLocker(owner): + raise InvalidInput('owner', owner, 'You do not have access to the ' + + owner + ' locker') + except getafsgroups.AfsProcessError, e: + raise InvalidInput('owner', owner, str(e)) + return owner def testContact(user, contact, machine=None): if contact in (None, machine.contact):