From 8faf9090d9ef82239adfe015e2cdb8b92f7efaa8 Mon Sep 17 00:00:00 2001 From: Mike Fedosin Date: Thu, 20 Jul 2017 21:26:36 +0300 Subject: [PATCH] Create new policy for downloading deactivated artifacts Now there is a check in the engine, that verifies that only admins can download deactivated artifacts. This is not recommended and it's much wiser to create a policy to check this. Change-Id: I26fb4be064d2860ace5d7423d3103f2fa33360cd --- glare/common/policy.py | 8 +++++++- glare/engine.py | 5 ----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/glare/common/policy.py b/glare/common/policy.py index 0ea2cb5..fabdd58 100644 --- a/glare/common/policy.py +++ b/glare/common/policy.py @@ -69,7 +69,13 @@ artifact_policy_rules = [ "Policy to set custom location for artifact"), policy.RuleDefault("artifact:upload", "rule:admin_or_owner", "Policy to upload blob for artifact"), - policy.RuleDefault("artifact:download", "", + policy.RuleDefault("artifact:download_deactivated", + "'deactivated':%(status)s and rule:context_is_admin " + "or not 'deactivated':%(status)s", + "Policy to download blob from deactivated artifact"), + policy.RuleDefault("artifact:download", + "rule:admin_or_owner and " + "rule:artifact:download_deactivated", "Policy to download blob from artifact"), ] diff --git a/glare/engine.py b/glare/engine.py index f647cce..19b920e 100644 --- a/glare/engine.py +++ b/glare/engine.py @@ -541,11 +541,6 @@ class Engine(object): blob_name = "%s[%s]" % (field_name, blob_key)\ if blob_key else field_name - if af.status == 'deactivated' and not context.is_admin: - msg = _("Only admin is allowed to download artifact data " - "when it's deactivated") - raise exception.Forbidden(message=msg) - if af.status == 'deleted': msg = _("Cannot download data when artifact is deleted") raise exception.Forbidden(message=msg)