diff --git a/cinder/db/sqlalchemy/api.py b/cinder/db/sqlalchemy/api.py index 0abaa25c080..fa84155c883 100644 --- a/cinder/db/sqlalchemy/api.py +++ b/cinder/db/sqlalchemy/api.py @@ -787,7 +787,6 @@ def quota_get(context, project_id, resource): @require_context def quota_get_all_by_project(context, project_id): - authorize_project_context(context, project_id) rows = model_query(context, models.Quota, read_deleted="no").\ filter_by(project_id=project_id).\ @@ -819,7 +818,7 @@ def _quota_get_by_resource(context, resource, session=None): return rows -@require_admin_context +@require_context def quota_create(context, project_id, resource, limit, allocated): quota_ref = models.Quota() quota_ref.project_id = project_id @@ -834,7 +833,7 @@ def quota_create(context, project_id, resource, limit, allocated): return quota_ref -@require_admin_context +@require_context def quota_update(context, project_id, resource, limit): session = get_session() with session.begin(): @@ -905,7 +904,6 @@ def quota_class_get_default(context): @require_context def quota_class_get_all_by_name(context, class_name): - authorize_quota_class_context(context, class_name) rows = model_query(context, models.QuotaClass, read_deleted="no").\ filter_by(class_name=class_name).\ @@ -930,7 +928,7 @@ def _quota_class_get_all_by_resource(context, resource, session): @handle_db_data_error -@require_admin_context +@require_context def quota_class_create(context, class_name, resource, limit): quota_class_ref = models.QuotaClass() quota_class_ref.class_name = class_name @@ -943,7 +941,7 @@ def quota_class_create(context, class_name, resource, limit): return quota_class_ref -@require_admin_context +@require_context def quota_class_update(context, class_name, resource, limit): session = get_session() with session.begin(): @@ -963,7 +961,7 @@ def quota_class_update_resource(context, old_res, new_res): quota_class.resource = new_res -@require_admin_context +@require_context def quota_class_destroy(context, class_name, resource): session = get_session() with session.begin(): @@ -972,7 +970,7 @@ def quota_class_destroy(context, class_name, resource): return quota_class_ref.delete(session=session) -@require_admin_context +@require_context def quota_class_destroy_all_by_name(context, class_name): session = get_session() with session.begin(): @@ -1003,7 +1001,6 @@ def quota_usage_get(context, project_id, resource): @require_context def quota_usage_get_all_by_project(context, project_id): - authorize_project_context(context, project_id) rows = model_query(context, models.QuotaUsage, read_deleted="no").\ filter_by(project_id=project_id).\ diff --git a/cinder/tests/unit/api/contrib/test_quotas.py b/cinder/tests/unit/api/contrib/test_quotas.py index 811efd5e648..875e986b18d 100644 --- a/cinder/tests/unit/api/contrib/test_quotas.py +++ b/cinder/tests/unit/api/contrib/test_quotas.py @@ -281,8 +281,9 @@ class QuotaSetsControllerTest(QuotaSetsControllerTestBase): self.req.environ['cinder.context'].is_admin = False self.req.environ['cinder.context'].project_id = fake.PROJECT_ID self.req.environ['cinder.context'].user_id = 'foo_user' - self.assertRaises(webob.exc.HTTPForbidden, self.controller.update, - self.req, fake.PROJECT_ID, make_body(tenant_id=None)) + self.assertRaises(exception.PolicyNotAuthorized, + self.controller.update, self.req, fake.PROJECT_ID, + make_body(tenant_id=None)) def test_update_without_quota_set_field(self): body = {'fake_quota_set': {'gigabytes': 100}} @@ -372,8 +373,8 @@ class QuotaSetsControllerTest(QuotaSetsControllerTestBase): def test_delete_no_admin(self): self.req.environ['cinder.context'].is_admin = False - self.assertRaises(webob.exc.HTTPForbidden, self.controller.delete, - self.req, fake.PROJECT_ID) + self.assertRaises(exception.PolicyNotAuthorized, + self.controller.delete, self.req, fake.PROJECT_ID) def test_subproject_show_not_using_nested_quotas(self): # Current roles say for non-nested quotas, an admin should be able to diff --git a/cinder/tests/unit/api/contrib/test_quotas_classes.py b/cinder/tests/unit/api/contrib/test_quotas_classes.py index cdec1b98562..8c236242657 100644 --- a/cinder/tests/unit/api/contrib/test_quotas_classes.py +++ b/cinder/tests/unit/api/contrib/test_quotas_classes.py @@ -25,6 +25,7 @@ import webob.exc from cinder.api.contrib import quota_classes from cinder import context +from cinder import exception from cinder import quota from cinder import test from cinder.tests.unit import fake_constants as fake @@ -99,7 +100,7 @@ class QuotaClassSetsControllerTest(test.TestCase): self.req.environ['cinder.context'].is_admin = False self.req.environ['cinder.context'].user_id = fake.USER_ID self.req.environ['cinder.context'].project_id = fake.PROJECT_ID - self.assertRaises(webob.exc.HTTPForbidden, self.controller.show, + self.assertRaises(exception.PolicyNotAuthorized, self.controller.show, self.req, fake.PROJECT_ID) def test_update(self): @@ -138,8 +139,9 @@ class QuotaClassSetsControllerTest(test.TestCase): def test_update_no_admin(self): self.req.environ['cinder.context'].is_admin = False - self.assertRaises(webob.exc.HTTPForbidden, self.controller.update, - self.req, fake.PROJECT_ID, make_body(tenant_id=None)) + self.assertRaises(exception.PolicyNotAuthorized, + self.controller.update, self.req, fake.PROJECT_ID, + make_body(tenant_id=None)) def test_update_with_more_volume_types(self): volume_types.create(self.ctxt, 'fake_type_1') diff --git a/cinder/tests/unit/policy.json b/cinder/tests/unit/policy.json index f5533dd8aa9..c64778065a1 100644 --- a/cinder/tests/unit/policy.json +++ b/cinder/tests/unit/policy.json @@ -68,9 +68,9 @@ "volume_extension:volume_mig_status_attribute": "rule:admin_api", "volume_extension:hosts": "rule:admin_api", "volume_extension:quotas:show": "", - "volume_extension:quotas:update": "", - "volume_extension:quotas:delete": "", - "volume_extension:quota_classes": "", + "volume_extension:quotas:update": "rule:admin_api", + "volume_extension:quotas:delete": "rule:admin_api", + "volume_extension:quota_classes": "rule:admin_api", "volume_extension:services:index": "", "volume_extension:services:update" : "rule:admin_api", "volume_extension:volume_manage": "rule:admin_api",