[Kimchi-devel] [PATCH 2/9] authorization: Restrict Collection access based on admin_methods parameter

alinefm at linux.vnet.ibm.com alinefm at linux.vnet.ibm.com
Wed Jul 23 20:39:13 UTC 2014 

From: Aline Manera <alinefm at linux.vnet.ibm.com>

GET and POST are the allowed methods for a Collection
If you want to restrict access to the Collection based on the request
method, you must set the self.admin_method parameter accordingly
Kimchi will restrict all the POST request to a Collection, ie, only the
admin can create new resources in the Collection

Signed-off-by: Aline Manera <alinefm at linux.vnet.ibm.com>
---
 src/kimchi/control/base.py  | 4 +++-
 src/kimchi/control/utils.py | 8 +++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/kimchi/control/base.py b/src/kimchi/control/base.py
index 572f980..674c13b 100644
--- a/src/kimchi/control/base.py
+++ b/src/kimchi/control/base.py
@@ -284,7 +284,9 @@ def _split_filter(params):
 
     @cherrypy.expose
     def index(self, *args, **kwargs):
-        method = validate_method(('GET', 'POST'))
+        method = validate_method(('GET', 'POST'),
+                                 self.role_key, self.admin_methods)
+
         try:
             if method == 'GET':
                 filter_params = cherrypy.request.params
diff --git a/src/kimchi/control/utils.py b/src/kimchi/control/utils.py
index aa592ef..aa5f452 100644
--- a/src/kimchi/control/utils.py
+++ b/src/kimchi/control/utils.py
@@ -25,6 +25,7 @@
 from jsonschema import Draft3Validator, ValidationError, FormatChecker
 
 
+from kimchi.auth import USER_ROLES
 from kimchi.exception import InvalidParameter, OperationFailed
 from kimchi.utils import import_module, listPathModules
 
@@ -41,10 +42,15 @@ def model_fn(cls, fn_name):
     return '%s_%s' % (get_class_name(cls), fn_name)
 
 
-def validate_method(allowed):
+def validate_method(allowed, role_key, admin_methods):
     method = cherrypy.request.method.upper()
     if method not in allowed:
         raise cherrypy.HTTPError(405)
+
+    user_role = cherrypy.session.get(USER_ROLES, {}).get(role_key)
+    if user_role and user_role != 'admin' and method in admin_methods:
+        raise cherrypy.HTTPError(403)
+
     return method
 
 
-- 
1.9.3

More information about the Kimchi-devel mailing list