[PATCH V2 0/4] Authorization: disable non-root user functions in UI
From: Wen Wang <wenwang@linux.vnet.ibm.com> V1 -> V2: Store "roles" parameter in cookie instead of each tab's mode.(Aline) read only "roles" from cookie instead of roles of each tab(Aline) Minor changes in method of removing "Action" title under network tab (Hongliang Wang) This patch defines user privilege according to different user roles In this release, only two roles are supported: "admin" and "user", conbined with four modes: "admin", "byInstance", "read-only" and "none", each of which has own privileges to different tabs as well as instances. modes are stored in cookie and functions of different roles are protected in the back-end. Wen Wang (4): Add roles into cookie Authorization: remove host/template tabs for non-root users Authorization: remove [+] icon from non-root users view Authorization: Remove actions based on roles ui/css/theme-default/storage.css | 18 +++++++++--------- ui/js/src/kimchi.guest_main.js | 4 ++++ ui/js/src/kimchi.login.js | 16 +++++++++------- ui/js/src/kimchi.main.js | 24 ++++++++++++++++-------- ui/js/src/kimchi.network.js | 9 +++++++++ ui/js/src/kimchi.storage_main.js | 11 +++++++++++ 6 files changed, 58 insertions(+), 24 deletions(-)
From: Wen Wang <wenwang@linux.vnet.ibm.com> V1 -> V2: This patch add "roles" parameter into cookie instead of each tab's mode(Aline) This patch add each tab's mode into cookie Signed-off-by: Wen Wang <wenwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.login.js | 16 +++++++++------- 1 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ui/js/src/kimchi.login.js b/ui/js/src/kimchi.login.js index 72d2ee3..b20f0b0 100644 --- a/ui/js/src/kimchi.login.js +++ b/ui/js/src/kimchi.login.js @@ -36,8 +36,8 @@ kimchi.login_main = function() { var loginButton = $('#btn-login'); var login = function(event) { - $("#login").hide() - $("#logging").show() + $("#login").hide(); + $("#logging").show(); var userName = userNameBox.val(); userName && kimchi.user.setUserName(userName); @@ -50,18 +50,20 @@ kimchi.login_main = function() { var query = window.location.search; var next = /.*next=(.*?)(&|$)/g.exec(query); if (next) { - var next_url = decodeURIComponent(next[1]) + var next_url = decodeURIComponent(next[1]); } else { var lastPage = kimchi.cookie.get('lastPage'); - var next_url = lastPage ? lastPage.replace(/\"/g,'') : "/" + var next_url = lastPage ? lastPage.replace(/\"/g,'') : "/"; } + var next_url = lastPage ? lastPage.replace(/\"/g,'') : "/"; + kimchi.cookie.set('roles',JSON.stringify(data.roles), 365); window.location.replace(next_url) }, function() { - $("#messUserPass").show() + $("#messUserPass").show(); $("#messSession").hide(); - $("#logging").hide() - $("#login").show() + $("#logging").hide(); + $("#login").show(); }); return false; -- 1.7.1
From: Wen Wang <wenwang@linux.vnet.ibm.com> V1 -> V2: read only "roles" from cookie instead of roles of each tab(Aline) This patch removed host/template tabs from non-root users Signed-off-by: Wen Wang <wenwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.main.js | 24 ++++++++++++++++-------- 1 files changed, 16 insertions(+), 8 deletions(-) diff --git a/ui/js/src/kimchi.main.js b/ui/js/src/kimchi.main.js index 8eb4d73..9488299 100644 --- a/ui/js/src/kimchi.main.js +++ b/ui/js/src/kimchi.main.js @@ -23,13 +23,16 @@ kimchi.main = function() { $(tabs).each(function(i, tab) { var title = tab['title']; var path = tab['path']; - tabsHtml.push( - '<li>', - '<a class="item" href="', path, '">', - title, - '</a>', - '</li>' - ); + var mode = tab['mode']; + if (mode != 'none') { + tabsHtml.push( + '<li>', + '<a class="item" href="', path, '">', + title, + '</a>', + '</li>' + ); + } }); return tabsHtml.join(''); }; @@ -41,9 +44,14 @@ kimchi.main = function() { var titleKey = $tab.find('title').text(); var title = i18n[titleKey] ? i18n[titleKey] : titleKey; var path = $tab.find('path').text(); + var roles = kimchi.cookie.get('roles'); + var roleString = 'JSON.parse(roles).' + titleKey.toLowerCase(); + var role = eval(roleString); + var mode = $tab.find('[role="' + role + '"]').attr('mode'); tabs.push({ title: title, - path: path + path: path, + mode: mode }); }); -- 1.7.1
On 07/21/2014 05:21 AM, wenwang@linux.vnet.ibm.com wrote:
From: Wen Wang <wenwang@linux.vnet.ibm.com>
V1 -> V2: read only "roles" from cookie instead of roles of each tab(Aline)
This patch removed host/template tabs from non-root users
Signed-off-by: Wen Wang <wenwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.main.js | 24 ++++++++++++++++-------- 1 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/ui/js/src/kimchi.main.js b/ui/js/src/kimchi.main.js index 8eb4d73..9488299 100644 --- a/ui/js/src/kimchi.main.js +++ b/ui/js/src/kimchi.main.js @@ -23,13 +23,16 @@ kimchi.main = function() { $(tabs).each(function(i, tab) { var title = tab['title']; var path = tab['path']; - tabsHtml.push( - '<li>', - '<a class="item" href="', path, '">', - title, - '</a>', - '</li>' - ); + var mode = tab['mode']; + if (mode != 'none') { + tabsHtml.push( + '<li>', + '<a class="item" href="', path, '">', + title, + '</a>', + '</li>' + ); + } }); return tabsHtml.join(''); }; @@ -41,9 +44,14 @@ kimchi.main = function() { var titleKey = $tab.find('title').text(); var title = i18n[titleKey] ? i18n[titleKey] : titleKey; var path = $tab.find('path').text();
+ var roles = kimchi.cookie.get('roles'); + var roleString = 'JSON.parse(roles).' + titleKey.toLowerCase(); + var role = eval(roleString); + var mode = $tab.find('[role="' + role + '"]').attr('mode');
As you proposed in the previous patch set, you can store the role in a cookie here to be used when needed.
tabs.push({ title: title, - path: path + path: path, + mode: mode }); });
On 07/22/2014 03:42 AM, Aline Manera wrote:
On 07/21/2014 05:21 AM, wenwang@linux.vnet.ibm.com wrote:
From: Wen Wang <wenwang@linux.vnet.ibm.com>
V1 -> V2: read only "roles" from cookie instead of roles of each tab(Aline)
This patch removed host/template tabs from non-root users
Signed-off-by: Wen Wang <wenwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.main.js | 24 ++++++++++++++++-------- 1 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/ui/js/src/kimchi.main.js b/ui/js/src/kimchi.main.js index 8eb4d73..9488299 100644 --- a/ui/js/src/kimchi.main.js +++ b/ui/js/src/kimchi.main.js @@ -23,13 +23,16 @@ kimchi.main = function() { $(tabs).each(function(i, tab) { var title = tab['title']; var path = tab['path']; - tabsHtml.push( - '<li>', - '<a class="item" href="', path, '">', - title, - '</a>', - '</li>' - ); + var mode = tab['mode']; + if (mode != 'none') { + tabsHtml.push( + '<li>', + '<a class="item" href="', path, '">', + title, + '</a>', + '</li>' + ); + } }); return tabsHtml.join(''); }; @@ -41,9 +44,14 @@ kimchi.main = function() { var titleKey = $tab.find('title').text(); var title = i18n[titleKey] ? i18n[titleKey] : titleKey; var path = $tab.find('path').text();
+ var roles = kimchi.cookie.get('roles'); + var roleString = 'JSON.parse(roles).' + titleKey.toLowerCase(); + var role = eval(roleString); + var mode = $tab.find('[role="' + role + '"]').attr('mode');
As you proposed in the previous patch set, you can store the role in a cookie here to be used when needed.
ACK. As we discussed in the previous patch , it's "tabMode" that is going to be stored in
tabs.push({ title: title, - path: path + path: path, + mode: mode }); });
From: Wen Wang <wenwang@linux.vnet.ibm.com> This patch removes [+] icon from the toolbar for users without 'admin' role Signed-off-by: Wen Wang <wenwang@linux.vnet.ibm.com> --- ui/js/src/kimchi.guest_main.js | 4 ++++ ui/js/src/kimchi.network.js | 4 ++++ ui/js/src/kimchi.storage_main.js | 4 ++++ 3 files changed, 12 insertions(+), 0 deletions(-) diff --git a/ui/js/src/kimchi.guest_main.js b/ui/js/src/kimchi.guest_main.js index acbae15..3d3a4b8 100644 --- a/ui/js/src/kimchi.guest_main.js +++ b/ui/js/src/kimchi.guest_main.js @@ -323,6 +323,10 @@ kimchi.guestSetRequestHeader = function(xhr) { }; kimchi.guest_main = function() { + var guestsMode = kimchi.cookie.get('GuestsMode'); + if(guestsMode != 'admin') { + $('.tools').remove(); + } $("#vm-add").on("click", function(event) { kimchi.window.open('guest-add.html'); }); diff --git a/ui/js/src/kimchi.network.js b/ui/js/src/kimchi.network.js index cbd967f..a44e33c 100644 --- a/ui/js/src/kimchi.network.js +++ b/ui/js/src/kimchi.network.js @@ -19,6 +19,10 @@ kimchi.NETWORK_TYPE_BRIDGE = "bridged"; kimchi.initNetwork = function() { + var networkMode = kimchi.cookie.get('NetworkMode'); + if(networkMode != 'admin') { + $('.tools').remove(); + } kimchi.initNetworkListView(); kimchi.initNetworkDialog(); kimchi.initNetworkCreation(); diff --git a/ui/js/src/kimchi.storage_main.js b/ui/js/src/kimchi.storage_main.js index 3a18f82..593e7b1 100644 --- a/ui/js/src/kimchi.storage_main.js +++ b/ui/js/src/kimchi.storage_main.js @@ -234,6 +234,10 @@ kimchi.initLogicalPoolExtend = function() { } kimchi.storage_main = function() { + var storageMode = kimchi.cookie.get('StorageMode'); + if(storageMode != 'admin') { + $('.tools').remove(); + } $('#storage-pool-add').on('click', function() { kimchi.window.open('storagepool-add.html'); }); -- 1.7.1
From: Wen Wang <wenwang@linux.vnet.ibm.com> V1 -> V2: Minor changes in method of removing "Action" title under network tab (Hongliang Wang) Authorization: remove actions menu from storage/network tabs for non-root users Signed-off-by: Wen Wang <wenwang@linux.vnet.ibm.com> Conflicts: ui/js/src/kimchi.network.js --- ui/css/theme-default/storage.css | 18 +++++++++--------- ui/js/src/kimchi.network.js | 5 +++++ ui/js/src/kimchi.storage_main.js | 7 +++++++ 3 files changed, 21 insertions(+), 9 deletions(-) diff --git a/ui/css/theme-default/storage.css b/ui/css/theme-default/storage.css index e94c1ec..d0e64b3 100644 --- a/ui/css/theme-default/storage.css +++ b/ui/css/theme-default/storage.css @@ -17,7 +17,7 @@ */ /* STORAGE */ .handle { - width: 5%; + padding-left: 111px; } .storage-title { @@ -148,37 +148,37 @@ } .storage-name { - width: 20%; + width: 199px; } .storage-state { - width: 5%; + width: 51px; } .storage-location { - width: 29%; + width: 288px; } .storage-type { - width: 10%; + width: 98px; } .storage-capacity { - width: 10%; + width: 98px; } .storage-allocate { - width: 10%; + width: 98px; } .storage-button { - width: 11%; + width: 108px; text-align: center; } .title-name { - width: 198px; + width: 199px; } .title-state { diff --git a/ui/js/src/kimchi.network.js b/ui/js/src/kimchi.network.js index a44e33c..021f9a8 100644 --- a/ui/js/src/kimchi.network.js +++ b/ui/js/src/kimchi.network.js @@ -22,6 +22,7 @@ kimchi.initNetwork = function() { var networkMode = kimchi.cookie.get('NetworkMode'); if(networkMode != 'admin') { $('.tools').remove(); + $('#network-content .header span:last-child').remove(); } kimchi.initNetworkListView(); kimchi.initNetworkDialog(); @@ -52,6 +53,10 @@ kimchi.initNetworkListView = function() { kimchi.addNetworkItem = function(network) { $("#networkBody").append(kimchi.getNetworkItemHtml(network)); + var networkMode = kimchi.cookie.get('NetworkMode'); + if(networkMode != 'admin') { + $('.column-action').remove(); + } kimchi.addNetworkActions(network); }; diff --git a/ui/js/src/kimchi.storage_main.js b/ui/js/src/kimchi.storage_main.js index 593e7b1..d0b2a17 100644 --- a/ui/js/src/kimchi.storage_main.js +++ b/ui/js/src/kimchi.storage_main.js @@ -16,6 +16,10 @@ * limitations under the License. */ kimchi.doListStoragePools = function() { + var storageMode = kimchi.cookie.get('StorageMode'); + if(storageMode != 'admin') { + $('.title-actions').remove(); + } kimchi.listStoragePools(function(result) { var storageHtml = $('#storageTmpl').html(); if (result && result.length) { @@ -31,6 +35,9 @@ kimchi.doListStoragePools = function() { }); $('#storagepoolsList').html(listHtml); kimchi.storageBindClick(); + if(storageMode != 'admin') { + $('.storage-button').remove(); + } } else { $('#storagepoolsList').html(''); } -- 1.7.1
Please ignore this patch. There exists issues to be confirmed. On 07/21/2014 04:21 PM, wenwang@linux.vnet.ibm.com wrote:
From: Wen Wang <wenwang@linux.vnet.ibm.com>
V1 -> V2: Store "roles" parameter in cookie instead of each tab's mode.(Aline) read only "roles" from cookie instead of roles of each tab(Aline) Minor changes in method of removing "Action" title under network tab (Hongliang Wang)
This patch defines user privilege according to different user roles In this release, only two roles are supported: "admin" and "user", conbined with four modes: "admin", "byInstance", "read-only" and "none", each of which has own privileges to different tabs as well as instances. modes are stored in cookie and functions of different roles are protected in the back-end.
Wen Wang (4): Add roles into cookie Authorization: remove host/template tabs for non-root users Authorization: remove [+] icon from non-root users view Authorization: Remove actions based on roles
ui/css/theme-default/storage.css | 18 +++++++++--------- ui/js/src/kimchi.guest_main.js | 4 ++++ ui/js/src/kimchi.login.js | 16 +++++++++------- ui/js/src/kimchi.main.js | 24 ++++++++++++++++-------- ui/js/src/kimchi.network.js | 9 +++++++++ ui/js/src/kimchi.storage_main.js | 11 +++++++++++ 6 files changed, 58 insertions(+), 24 deletions(-)
participants (3)
-
Aline Manera -
Wen Wang -
wenwang@linux.vnet.ibm.com