From: Peter Iannucci Date: Mon, 20 May 2013 13:00:48 +0000 (-0400) Subject: Fixed validation of administrator field. X-Git-Tag: 0.1.31^0 X-Git-Url: http://xvm.mit.edu/gitweb/invirt/packages/invirt-web.git/commitdiff_plain/refs/heads/iannucci Fixed validation of administrator field. --- diff --git a/code/validation.py b/code/validation.py index 5018ca3..d288a69 100755 --- a/code/validation.py +++ b/code/validation.py @@ -209,8 +209,7 @@ def testMachineId(user, state, machine_id, exists=True): def testAdmin(user, admin, machine): """Determine whether a user can set the admin of a machine to this value. - Return the value to set the admin field to (possibly 'system:' + - admin). XXX is modifying this a good idea? + Return the value to set the admin field to (possibly 'system:' + admin). """ if admin is None: return None @@ -218,20 +217,17 @@ def testAdmin(user, admin, machine): return admin if admin == user: return admin + # we do not require that the user be in the admin group; + # just that it is a non-empty set + if authz.expandAdmin(admin): + return admin if ':' not in admin: - if cache_acls.isUser(admin): - return admin - admin = 'system:' + admin - try: - if user in getafsgroups.getAfsGroupMembers(admin, config.authz.afs.cells[0].cell): - return admin - except getafsgroups.AfsProcessError, e: - errmsg = str(e) - if errmsg.startswith("pts: User or group doesn't exist"): - errmsg = 'The group "%s" does not exist.' % admin - raise InvalidInput('administrator', admin, errmsg) - #XXX Should we require that user is in the admin group? - return admin + if authz.expandAdmin('system:' + admin): + return 'system:' + admin + errmsg = 'No user "%s" or non-empty group "system:%s" found.' % (admin, admin) + else: + errmsg = 'No non-empty group "%s" found.' % (admin,) + raise InvalidInput('administrator', admin, errmsg) def testOwner(user, owner, machine=None): """Determine whether a user can set the owner of a machine to this value. diff --git a/debian/changelog b/debian/changelog index f0e2736..e41decc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +invirt-web (0.1.31) unstable; urgency=low + + * Fixed validation of administrator field to use authz. + + -- Peter A. Iannucci Mon, 20 May 2013 09:00:00 -0400 + invirt-web (0.1.30) unstable; urgency=low * Fixed formatting for the changes to help.