[Kimchi-devel] [PATCH] issue #435: Fix resource authorization logic
Crístian Viana
vianac at linux.vnet.ibm.com
Wed Sep 24 01:39:33 UTC 2014
The current logic is broken. Therefore, some cases which
should allow a user to have access to a VM may fail.
For example, if one VM has only group permission but no user permission,
users who are members of the allowed groups are not able to access
that VM. Other cases may behave wrong as well.
Change the authorization logic so it works in all cases.
Signed-off-by: Crístian Viana <vianac at linux.vnet.ibm.com>
---
src/kimchi/control/base.py | 9 +++------
tests/test_authorization.py | 5 ++++-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py
index 6391a1a..2e0816f 100644
--- a/src/kimchi/control/base.py
+++ b/src/kimchi/control/base.py
@@ -160,13 +160,10 @@ class Resource(object):
users = self.data.get("users", None)
groups = self.data.get("groups", None)
- if (users is not None or groups is not None) and \
- user_role and user_role != 'admin' and \
- (user_name not in users or
- (groups and list(set(user_groups) & set(groups)) == [])):
- return False
+ if (users is None and groups is None) or user_role == 'admin':
+ return True
- return True
+ return user_name in users or len(set(user_groups) & set(groups)) > 0
def update(self):
try:
diff --git a/tests/test_authorization.py b/tests/test_authorization.py
index a74e3c7..2c342a5 100644
--- a/tests/test_authorization.py
+++ b/tests/test_authorization.py
@@ -121,10 +121,13 @@ class AuthorizationTests(unittest.TestCase):
model.vms_create({'name': u'test-usera', 'template': '/templates/test'})
model.vm_update(u'test-usera', {'users': [ 'userA' ], 'groups': []})
+ model.vms_create({'name': u'test-groupa', 'template': '/templates/test'})
+ model.vm_update(u'test-groupa', {'groups': [ 'groupA' ]})
+
resp = self.request('/vms', '{}', 'GET')
self.assertEquals(200, resp.status)
vms_data = json.loads(resp.read())
- self.assertEquals([ u'test-me' ], [ v['name'] for v in vms_data ])
+ self.assertEquals([ u'test-groupa', u'test-me' ], sorted([ v['name'] for v in vms_data ]))
resp = self.request('/vms', req, 'POST')
self.assertEquals(403, resp.status)
--
1.9.3
More information about the Kimchi-devel
mailing list