Create new policy for downloading deactivated artifacts
Now there is a check in the engine, that verifies that only admins can download deactivated artifacts. This is not recommended and it's much wiser to create a policy to check this. Change-Id: I26fb4be064d2860ace5d7423d3103f2fa33360cd
This commit is contained in:
parent
b67f0538e4
commit
8faf9090d9
|
@ -69,7 +69,13 @@ artifact_policy_rules = [
|
|||
"Policy to set custom location for artifact"),
|
||||
policy.RuleDefault("artifact:upload", "rule:admin_or_owner",
|
||||
"Policy to upload blob for artifact"),
|
||||
policy.RuleDefault("artifact:download", "",
|
||||
policy.RuleDefault("artifact:download_deactivated",
|
||||
"'deactivated':%(status)s and rule:context_is_admin "
|
||||
"or not 'deactivated':%(status)s",
|
||||
"Policy to download blob from deactivated artifact"),
|
||||
policy.RuleDefault("artifact:download",
|
||||
"rule:admin_or_owner and "
|
||||
"rule:artifact:download_deactivated",
|
||||
"Policy to download blob from artifact"),
|
||||
]
|
||||
|
||||
|
|
|
@ -541,11 +541,6 @@ class Engine(object):
|
|||
blob_name = "%s[%s]" % (field_name, blob_key)\
|
||||
if blob_key else field_name
|
||||
|
||||
if af.status == 'deactivated' and not context.is_admin:
|
||||
msg = _("Only admin is allowed to download artifact data "
|
||||
"when it's deactivated")
|
||||
raise exception.Forbidden(message=msg)
|
||||
|
||||
if af.status == 'deleted':
|
||||
msg = _("Cannot download data when artifact is deleted")
|
||||
raise exception.Forbidden(message=msg)
|
||||
|
|
Loading…
Reference in New Issue