Changeset 411 for trunk


Ignore:
Timestamp:
Apr 14, 2008, 12:01:30 AM (17 years ago)
Author:
ecprice
Message:

Fix the bug jbarnold reported, where the real-time access control didn't match the cached version.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/packages/sipb-xen-www/code/validation.py

    r277 r411  
    11#!/usr/bin/python
    22
     3import cache_acls
    34import getafsgroups
    45import re
     
    7273def haveAccess(user, machine):
    7374    """Return whether a user has administrative access to a machine"""
    74     if user in (machine.administrator, machine.owner):
    75         return True
    76     if getafsgroups.checkAfsGroup(user, machine.administrator,
    77                                   'athena.mit.edu'): #XXX Cell?
    78         return True
    79     if not getafsgroups.notLockerOwner(user, machine.owner):
    80         return True
    81     return owns(user, machine)
     75    return user in cache_acls.accessList(machine)
    8276
    8377def owns(user, machine):
    8478    """Return whether a user owns a machine"""
    85     return not getafsgroups.notLockerOwner(user, machine.owner)
     79    return user in expandLocker(machine.owner)
    8680
    8781def validMachineName(name):
     
    152146
    153147def testAdmin(user, admin, machine):
     148    """Determine whether a user can set the admin of a machine to this value.
     149
     150    Return the value to set the admin field to (possibly 'system:' +
     151    admin).  XXX is modifying this a good idea?
     152    """
    154153    if admin in (None, machine.administrator):
    155154        return None
    156155    if admin == user:
    157156        return admin
     157    if ':' not in admin:
     158        if cache_acls.isUser(admin):
     159            return admin
     160        admin = 'system:' + admin
    158161    if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'):
    159162        return admin
    160     if getafsgroups.checkAfsGroup(user, 'system:'+admin,
    161                                   'athena.mit.edu'):
    162         return 'system:'+admin
     163    #XXX Should we require that user is in cache_acls.expandName(admin)?
    163164    return admin
    164165   
    165166def testOwner(user, owner, machine=None):
     167    """Determine whether a user can set the owner of a machine to this value.
     168
     169    If machine is None, this is the owner of a new machine.
     170    """
    166171    if owner == user or machine is not None and owner == machine.owner:
    167172        return owner
    168173    if owner is None:
    169174        raise InvalidInput('owner', owner, "Owner must be specified")
    170     value = getafsgroups.notLockerOwner(user, owner)
    171     if not value:
    172         return owner
    173     raise InvalidInput('owner', owner, value)
     175    try:
     176        if user not in cache_acls.expandLocker(owner):
     177            raise InvalidInput('owner', owner, 'You do not have access to the '
     178                               + owner + ' locker')
     179    except getafsgroups.AfsProcessError, e:
     180        raise InvalidInput('owner', owner, str(e))
     181    return owner
    174182
    175183def testContact(user, contact, machine=None):
Note: See TracChangeset for help on using the changeset viewer.