Index: /trunk/packages/sipb-xen-www/code/cache_acls.py =================================================================== --- /trunk/packages/sipb-xen-www/code/cache_acls.py (revision 412) +++ /trunk/packages/sipb-xen-www/code/cache_acls.py (revision 413) @@ -29,5 +29,8 @@ return [name] name = 'system:'+name - return getafsgroups.getAfsGroupMembers(name, 'athena.mit.edu') + try: + return getafsgroups.getAfsGroupMembers(name, 'athena.mit.edu') + except getafsgroups.AfsProcessError: + return [] def accessList(m): Index: /trunk/packages/sipb-xen-www/code/getafsgroups.py =================================================================== --- /trunk/packages/sipb-xen-www/code/getafsgroups.py (revision 412) +++ /trunk/packages/sipb-xen-www/code/getafsgroups.py (revision 413) @@ -29,8 +29,9 @@ def getAfsGroupMembers(group, cell): - p = subprocess.Popen(["pts", "membership", group, '-c', cell], + p = subprocess.Popen(["pts", "membership", "-noauth", group, '-c', cell], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - if p.wait(): - return [] + err = p.stderr.read() + if err: #Error code doesn't reveal missing groups, but stderr does + raise AfsProcessError(err) return [line.strip() for line in p.stdout.readlines()[1:]] @@ -39,10 +40,4 @@ raise AfsProcessError("Locker '%s' is invalid." % locker) return '/mit/' + locker - -def checkAfsGroup(user, group, cell): - """ - checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell - """ - return user in getAfsGroupMembers(group, cell) def getCell(locker): @@ -82,6 +77,6 @@ for entry in values: - if entry == user or (entry[0:6] == "system" and - checkAfsGroup(user, entry, cell)): + if entry == user or (entry[0:6] == "system" and + user in getAfsGroupMembers(entry, cell)): return False return "You don't have admin bits on " + getLockerPath(locker) @@ -90,8 +85,8 @@ if __name__ == "__main__": # print list(getldapgroups("tabbott")) - print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu') - print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu') - print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu') - print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu') + print "tabbott" in getAfsGroupMembers("system:debathena", 'athena.mit.edu') + print "tabbott" in getAfsGroupMembers("system:debathena", 'sipb.mit.edu') + print "tabbott" in getAfsGroupMembers("system:debathena-root", 'athena.mit.edu') + print "tabbott" in getAfsGroupMembers("system:hmmt-request", 'athena.mit.edu') print notLockerOwner("tabbott", "tabbott") print notLockerOwner("tabbott", "debathena") Index: /trunk/packages/sipb-xen-www/code/validation.py =================================================================== --- /trunk/packages/sipb-xen-www/code/validation.py (revision 412) +++ /trunk/packages/sipb-xen-www/code/validation.py (revision 413) @@ -159,7 +159,10 @@ return admin admin = 'system:' + admin - if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'): - return admin - #XXX Should we require that user is in cache_acls.expandName(admin)? + try: + if user in getafsgroups.getAfsGroupMembers(admin, 'athena.mit.edu'): + return admin + except getafsgroups.AfsProcessError, e: + raise InvalidInput('administrator', admin, str(e)) + #XXX Should we require that user is in the admin group? return admin