diff options
| author | Devin Carlen <devin.carlen@gmail.com> | 2010-09-29 00:49:04 -0700 |
|---|---|---|
| committer | Devin Carlen <devin.carlen@gmail.com> | 2010-09-29 00:49:04 -0700 |
| commit | fe139bbdee60aadd720cb7a83d0846f2824c078f (patch) | |
| tree | 128c8f72e68caa135e1569923add4f2ab198804b /nova/db | |
| parent | 43ce84290964b433fd9d9898772d29bffc385dd8 (diff) | |
| download | nova-fe139bbdee60aadd720cb7a83d0846f2824c078f.tar.gz nova-fe139bbdee60aadd720cb7a83d0846f2824c078f.tar.xz nova-fe139bbdee60aadd720cb7a83d0846f2824c078f.zip | |
Began wiring up context authorization
Diffstat (limited to 'nova/db')
| -rw-r--r-- | nova/db/sqlalchemy/api.py | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py index 9c3caf9af..b5847d299 100644 --- a/nova/db/sqlalchemy/api.py +++ b/nova/db/sqlalchemy/api.py @@ -19,6 +19,7 @@ Implementation of SQLAlchemy backend """ +import logging import sys from nova import db @@ -48,6 +49,24 @@ def _deleted(context): return context.get('deleted', False) +def is_admin_context(context): + if not context: + logging.warning('Use of empty request context is deprecated') + return True + if not context.user: + return True + return context.user.is_admin() + + +def is_user_context(context): + if not context: + logging.warning('Use of empty request context is deprecated') + return False + if not context.user or not context.project: + return False + return True + + ################### @@ -869,14 +888,41 @@ def volume_detached(_context, volume_id): def volume_get(context, volume_id): - return models.Volume.find(volume_id, deleted=_deleted(context)) + session = get_session() + + if is_admin_context(context): + volume_ref = session.query(models.Volume + ).filter_by(id=volume_id + ).filter_by(deleted=_deleted(context) + ).first() + if not volume_ref: + raise exception.NotFound('No volume for id %s' % volume_id) + + if is_user_context(context): + volume_ref = session.query(models.Volume + ).filter_by(project_id=project_id + ).filter_by(id=volume_id + ).filter_by(deleted=False + ).first() + if not volume_ref: + raise exception.NotFound('No volume for id %s' % volume_id) + + raise exception.NotAuthorized() def volume_get_all(context): - return models.Volume.all(deleted=_deleted(context)) + if is_admin_context(context): + return models.Volume.all(deleted=_deleted(context)) + raise exception.NotAuthorized() def volume_get_all_by_project(context, project_id): + if is_user_context(context): + if context.project.id != project_id: + raise exception.NotAuthorized() + elif not is_admin_context(context): + raise exception.NotAuthorized() + session = get_session() return session.query(models.Volume ).filter_by(project_id=project_id |