add more credentials information to check_is_admin
Currently, It can specify only user_id when checking admin. Add more information for checking admin because it is not enough in multi-domain configuration. Change-Id: I5e3d6b88e8286b50bc0641163fadf27199fb4a55 closes-bug: 1619597
This commit is contained in:
parent
29e00a3c63
commit
eb6ed41a54
|
@ -73,21 +73,16 @@ def enforce(context, action, target):
|
|||
def check_is_admin(roles, context=None):
|
||||
"""Whether or not user is admin according to policy setting.
|
||||
|
||||
Can use roles or user_id from context to determine if user is admin.
|
||||
In a multi-domain configuration, roles alone may not be sufficient.
|
||||
"""
|
||||
init()
|
||||
|
||||
# include project_id on target to avoid KeyError if context_is_admin
|
||||
# policy definition is missing, and default admin_or_owner rule
|
||||
# attempts to apply. Since our credentials dict does not include a
|
||||
# project_id, this target can never match as a generic rule.
|
||||
# attempts to apply.
|
||||
target = {'project_id': ''}
|
||||
if context is None:
|
||||
credentials = {'roles': roles}
|
||||
else:
|
||||
credentials = {'roles': context.roles,
|
||||
'user_id': context.user_id
|
||||
}
|
||||
credentials = context.to_dict()
|
||||
|
||||
return _ENFORCER.enforce('context_is_admin', target, credentials)
|
||||
|
|
Loading…
Reference in New Issue