From: Aline Manera <alinefm@linux.vnet.ibm.com> GET and POST are the allowed methods for a Collection If you want to restrict access to the Collection based on the request method, you must set the self.admin_method parameter accordingly Kimchi will restrict all the POST request to a Collection, ie, only the admin can create new resources in the Collection Signed-off-by: Aline Manera <alinefm@linux.vnet.ibm.com> --- src/kimchi/control/base.py | 4 +++- src/kimchi/control/utils.py | 8 +++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py index 572f980..674c13b 100644 --- a/src/kimchi/control/base.py +++ b/src/kimchi/control/base.py @@ -284,7 +284,9 @@ def _split_filter(params): @cherrypy.expose def index(self, *args, **kwargs): - method = validate_method(('GET', 'POST')) + method = validate_method(('GET', 'POST'), + self.role_key, self.admin_methods) + try: if method == 'GET': filter_params = cherrypy.request.params diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py index aa592ef..aa5f452 100644 --- a/src/kimchi/control/utils.py +++ b/src/kimchi/control/utils.py @@ -25,6 +25,7 @@ from jsonschema import Draft3Validator, ValidationError, FormatChecker +from kimchi.auth import USER_ROLES from kimchi.exception import InvalidParameter, OperationFailed from kimchi.utils import import_module, listPathModules @@ -41,10 +42,15 @@ def model_fn(cls, fn_name): return '%s_%s' % (get_class_name(cls), fn_name) -def validate_method(allowed): +def validate_method(allowed, role_key, admin_methods): method = cherrypy.request.method.upper() if method not in allowed: raise cherrypy.HTTPError(405) + + user_role = cherrypy.session.get(USER_ROLES, {}).get(role_key) + if user_role and user_role != 'admin' and method in admin_methods: + raise cherrypy.HTTPError(403) + return method -- 1.9.3