From: Peter Iannucci <iannucci@mit.edu>
Date: Mon, 20 May 2013 13:00:48 +0000 (-0400)
Subject: Fixed validation of administrator field.
X-Git-Tag: 0.1.31^0
X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/refs/heads/iannucci

Fixed validation of administrator field.
---

diff --git a/code/validation.py b/code/validation.py
index 5018ca3..d288a69 100755
--- a/code/validation.py
+++ b/code/validation.py
@@ -209,8 +209,7 @@ def testMachineId(user, state, machine_id, exists=True):
 def testAdmin(user, admin, machine):
     """Determine whether a user can set the admin of a machine to this value.
 
-    Return the value to set the admin field to (possibly 'system:' +
-    admin).  XXX is modifying this a good idea?
+    Return the value to set the admin field to (possibly 'system:' + admin).
     """
     if admin is None:
         return None
@@ -218,20 +217,17 @@ def testAdmin(user, admin, machine):
         return admin
     if admin == user:
         return admin
+    # we do not require that the user be in the admin group;
+    # just that it is a non-empty set
+    if authz.expandAdmin(admin):
+        return admin
     if ':' not in admin:
-        if cache_acls.isUser(admin):
-            return admin
-        admin = 'system:' + admin
-    try:
-        if user in getafsgroups.getAfsGroupMembers(admin, config.authz.afs.cells[0].cell):
-            return admin
-    except getafsgroups.AfsProcessError, e:
-        errmsg = str(e)
-        if errmsg.startswith("pts: User or group doesn't exist"):
-            errmsg = 'The group "%s" does not exist.' % admin
-        raise InvalidInput('administrator', admin, errmsg)
-    #XXX Should we require that user is in the admin group?
-    return admin
+        if authz.expandAdmin('system:' + admin):
+            return 'system:' + admin
+        errmsg = 'No user "%s" or non-empty group "system:%s" found.' % (admin, admin)
+    else:
+        errmsg = 'No non-empty group "%s" found.' % (admin,)
+    raise InvalidInput('administrator', admin, errmsg)
 
 def testOwner(user, owner, machine=None):
     """Determine whether a user can set the owner of a machine to this value.
diff --git a/debian/changelog b/debian/changelog
index f0e2736..e41decc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+invirt-web (0.1.31) unstable; urgency=low
+
+  * Fixed validation of administrator field to use authz.
+
+ -- Peter A. Iannucci <iannucci@mit.edu>  Mon, 20 May 2013 09:00:00 -0400
+
 invirt-web (0.1.30) unstable; urgency=low
 
   * Fixed formatting for the changes to help.