From 1d07c12ecad0ace2caae7baecd9f0f669b62cc35 Mon Sep 17 00:00:00 2001 From: Wenhao Xu Date: Thu, 7 Feb 2013 17:18:12 +0800 Subject: Allow generic rules in context_is_admin rule in policy. context_is_admin role is used by nova to check if the current user is the admin. But it can only check role rules. The fix allow generic rules in context_is_admin. DocImpact Fixes bug 1118142 Change-Id: Ib4823a67fe63d5356fc8c9280a2013b8855f5217 --- nova/context.py | 7 +++---- nova/policy.py | 7 ++++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nova/context.py b/nova/context.py index 8731e012d..60fd5b4c0 100644 --- a/nova/context.py +++ b/nova/context.py @@ -65,9 +65,6 @@ class RequestContext(object): self.user_id = user_id self.project_id = project_id self.roles = roles or [] - self.is_admin = is_admin - if self.is_admin is None: - self.is_admin = policy.check_is_admin(self.roles) self.read_deleted = read_deleted self.remote_address = remote_address if not timestamp: @@ -90,7 +87,9 @@ class RequestContext(object): self.quota_class = quota_class self.user_name = user_name self.project_name = project_name - + self.is_admin = is_admin + if self.is_admin is None: + self.is_admin = policy.check_is_admin(self) if overwrite or not hasattr(local.store, 'context'): self.update_store() diff --git a/nova/policy.py b/nova/policy.py index 27e261eac..ac2f2e730 100644 --- a/nova/policy.py +++ b/nova/policy.py @@ -101,14 +101,15 @@ def enforce(context, action, target, do_raise=True): return policy.check(action, target, credentials, **extra) -def check_is_admin(roles): +def check_is_admin(context): """Whether or not roles contains 'admin' role according to policy setting. """ init() - target = {} - credentials = {'roles': roles} + #the target is user-self + credentials = context.to_dict() + target = credentials return policy.check('context_is_admin', target, credentials) -- cgit