From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
GET and POST are the allowed methods for a Collection
If you want to restrict access to the Collection based on the request
method, you must set the self.admin_method parameter accordingly
Kimchi will restrict all the POST request to a Collection, ie, only the
admin can create new resources in the Collection
Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
---
src/kimchi/control/base.py | 4 +++-
src/kimchi/control/utils.py | 8 +++++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py
index 572f980..674c13b 100644
--- a/src/kimchi/control/base.py
+++ b/src/kimchi/control/base.py
@@ -284,7 +284,9 @@ def _split_filter(params):
@cherrypy.expose
def index(self, *args, **kwargs):
- method = validate_method(('GET', 'POST'))
+ method = validate_method(('GET', 'POST'),
+ self.role_key, self.admin_methods)
+
try:
if method == 'GET':
filter_params = cherrypy.request.params
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index aa592ef..aa5f452 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -25,6 +25,7 @@
from jsonschema import Draft3Validator, ValidationError, FormatChecker
+from kimchi.auth import USER_ROLES
from kimchi.exception import InvalidParameter, OperationFailed
from kimchi.utils import import_module, listPathModules
@@ -41,10 +42,15 @@ def model_fn(cls, fn_name):
return '%s_%s' % (get_class_name(cls), fn_name)
-def validate_method(allowed):
+def validate_method(allowed, role_key, admin_methods):
method = cherrypy.request.method.upper()
if method not in allowed:
raise cherrypy.HTTPError(405)
+
+ user_role = cherrypy.session.get(USER_ROLES, {}).get(role_key)
+ if user_role and user_role != 'admin' and method in admin_methods:
+ raise cherrypy.HTTPError(403)
+
return method
--
1.9.3