Show public packages for non-admin users

But only if modification of public packages are allowed in policy file.
Turn off managing public packagef for non-admin users by default.

Currently non-admin users are able to see only their own packages
despite of the policy setting.

Corresponding tests were updated.

Change-Id: I5510f6b8b82d7d28358e1b7dcbffe275079512ee
Closes-Bug: #1496418
This commit is contained in:
Ekaterina Chernova 2015-09-16 19:14:10 +03:00
parent a8e91b16e7
commit d193bf7f4e
3 changed files with 38 additions and 17 deletions

View File

@ -176,6 +176,11 @@ class Controller(object):
def search(self, req):
policy.check("get_package", req.context)
manage_public = True
try:
policy.check("manage_public_package", req.context)
except exc.HTTPForbidden:
manage_public = False
filters = _get_filters(req.GET.items())
@ -188,7 +193,7 @@ class Controller(object):
catalog = req.GET.pop('catalog', '').lower() == 'true'
packages = db_api.package_search(
filters, req.context, limit, catalog=catalog)
filters, req.context, manage_public, limit, catalog=catalog)
if len(packages) == limit:
result['next_marker'] = packages[-1].id
result['packages'] = [package.to_dict() for package in packages]

View File

@ -246,15 +246,17 @@ def package_update(pkg_id_or_name, changes, context):
return pkg
def package_search(filters, context, limit=None, catalog=False):
def package_search(filters, context, manage_public=False,
limit=None, catalog=False):
"""Search packages with different filters
Catalog param controls the base query creation. Catalog queries
only search packages a user can deploy. Non-catalog queries searches
packages a user can edit.
* Admin is allowed to browse all the packages
* Regular user is allowed to browse all packages belongs to user tenant
and all other packages marked is_public.
Also all packages should be enabled.
and all other packages marked is_public in catalog mode.
In edit-mode non-admins are able to get own packages and public
packages if corresponding policy is passed.
* Use marker (inside filters param) and limit for pagination:
The typical pattern of limit and marker is to make an initial limited
request and then to use the ID of the last package from the response
@ -268,12 +270,15 @@ def package_search(filters, context, limit=None, catalog=False):
if catalog:
# Only show packages one can deploy, i.e. own + public
query = query.filter(or_(
pkg.owner_id == context.tenant, pkg.is_public)
)
query = query.filter(or_(pkg.owner_id == context.tenant,
pkg.is_public))
else:
# Show packages one can edit.
if not context.is_admin:
if manage_public:
query = query.filter(or_(pkg.owner_id == context.tenant,
pkg.is_public))
else:
query = query.filter(pkg.owner_id == context.tenant)
# No else here admin can edit everything.

View File

@ -52,10 +52,12 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
def test_packages_filtering_admin(self):
self.is_admin = True
self._set_policy_rules(
{'get_package': ''}
{'get_package': '',
'manage_public_package': ''}
)
for dummy in range(7):
self.expect_policy_check('get_package')
self.expect_policy_check('manage_public_package')
pkg = self._add_pkg('test_tenant', type='Library')
self._add_pkg('test_tenant')
@ -104,10 +106,12 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
def test_packages_filtering_non_admin(self):
self.is_admin = False
self._set_policy_rules(
{'get_package': ''}
{'get_package': '',
'manage_public_package': ''}
)
for dummy in range(7):
for dummy in range(8):
self.expect_policy_check('get_package')
self.expect_policy_check('manage_public_package')
pkg = self._add_pkg('test_tenant', type='Library')
self._add_pkg('test_tenant')
@ -117,7 +121,7 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
result = self.controller.search(self._get(
'/v1/catalog/packages/', params={'catalog': 'False',
'owned': 'False'}))
self.assertEqual(len(result['packages']), 2)
self.assertEqual(len(result['packages']), 3)
result = self.controller.search(self._get(
'/v1/catalog/packages/', params={'catalog': 'False',
'owned': 'True'}))
@ -150,15 +154,22 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
result = self.controller.search(self._get(
'/v1/catalog/packages/', params={
'type': 'Library'}))
self.assertEqual(len(result['packages']), 1)
self.assertEqual(len(result['packages']), 2)
self._set_policy_rules({'get_package': '',
'manage_public_package': '!'})
result = self.controller.search(self._get(
'/v1/catalog/packages/', params={'catalog': 'False'}))
self.assertEqual(len(result['packages']), 2)
def test_packages(self):
self._set_policy_rules(
{'get_package': ''}
{'get_package': '',
'manage_public_package': ''}
)
for dummy in range(9):
self.expect_policy_check('get_package')
self.expect_policy_check('manage_public_package')
result = self.controller.search(self._get('/v1/catalog/packages/'))
self.assertEqual(len(result['packages']), 0)
@ -188,10 +199,10 @@ class TestCatalogApi(test_base.ControllerTest, test_base.MuranoApiTestCase):
self._add_pkg('test_tenant', public=True)
self._add_pkg('other_tenant', public=True)
# non-admin can't edit other_tenants public pkgs
# non-admin are allowed to edit public packages by policy
self.is_admin = False
result = self.controller.search(self._get('/v1/catalog/packages/'))
self.assertEqual(len(result['packages']), 3)
self.assertEqual(len(result['packages']), 4)
# can deploy mine + other public
result = self.controller.search(self._get(
'/v1/catalog/packages/', params={'catalog': 'True'}))