Changeset 411

Timestamp:

Apr 14, 2008, 12:01:30 AM (17 years ago)

Author:

ecprice

Message:

Fix the bug jbarnold reported, where the real-time access control didn't match the cached version.

File:

• trunk/packages/sipb-xen-www/code/validation.py (modified) (3 diffs)

trunk/packages/sipb-xen-www/code/validation.py

@@ -1 +1 @@
 #!/usr/bin/python
 
+import cache_acls
 import getafsgroups
 import re
@@ -72 +73 @@
 def haveAccess(user, machine):
     """Return whether a user has administrative access to a machine"""
-    if user in (machine.administrator, machine.owner):
-        return True
-    if getafsgroups.checkAfsGroup(user, machine.administrator, 
-                                  'athena.mit.edu'): #XXX Cell?
-        return True
-    if not getafsgroups.notLockerOwner(user, machine.owner):
-        return True
-    return owns(user, machine)
+    return user in cache_acls.accessList(machine)
 
 def owns(user, machine):
     """Return whether a user owns a machine"""
-    return not getafsgroups.notLockerOwner(user, machine.owner)
+    return user in expandLocker(machine.owner)
 
 def validMachineName(name):
@@ -152 +146 @@
 
 def testAdmin(user, admin, machine):
+    """Determine whether a user can set the admin of a machine to this value.
+
+    Return the value to set the admin field to (possibly 'system:' +
+    admin).  XXX is modifying this a good idea?
+    """
     if admin in (None, machine.administrator):
         return None
     if admin == user:
         return admin
+    if ':' not in admin:
+        if cache_acls.isUser(admin):
+            return admin
+        admin = 'system:' + admin
     if getafsgroups.checkAfsGroup(user, admin, 'athena.mit.edu'):
         return admin
-    if getafsgroups.checkAfsGroup(user, 'system:'+admin,
-                                  'athena.mit.edu'):
-        return 'system:'+admin
+    #XXX Should we require that user is in cache_acls.expandName(admin)?
     return admin
     
 def testOwner(user, owner, machine=None):
+    """Determine whether a user can set the owner of a machine to this value.
+
+    If machine is None, this is the owner of a new machine.
+    """
     if owner == user or machine is not None and owner == machine.owner:
         return owner
     if owner is None:
         raise InvalidInput('owner', owner, "Owner must be specified")
-    value = getafsgroups.notLockerOwner(user, owner)
-    if not value:
-        return owner
-    raise InvalidInput('owner', owner, value)
+    try:
+        if user not in cache_acls.expandLocker(owner):
+            raise InvalidInput('owner', owner, 'You do not have access to the '
+                               + owner + ' locker')
+    except getafsgroups.AfsProcessError, e:
+        raise InvalidInput('owner', owner, str(e))
+    return owner
 
 def testContact(user, contact, machine=None):