diff --git a/openstack_dashboard/api/neutron.py b/openstack_dashboard/api/neutron.py index 7e4e5d542b..555b164f92 100644 --- a/openstack_dashboard/api/neutron.py +++ b/openstack_dashboard/api/neutron.py @@ -1287,8 +1287,7 @@ def get_feature_permission(request, feature, operation=None): # Check policy feature_policies = feature_info.get('policies') - policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None) - if feature_policies and policy_check: + if feature_policies: policy_name = feature_policies.get(operation) if not policy_name: # Translators: Only used inside Horizon code and invisible to users diff --git a/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py b/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py index 88f5f4765e..4e4ee83384 100644 --- a/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py +++ b/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py @@ -15,7 +15,6 @@ import logging -from django.conf import settings from django.core.urlresolvers import reverse from django import shortcuts from django.utils.http import urlencode @@ -29,14 +28,13 @@ from horizon import messages from horizon import tables from openstack_dashboard import api +from openstack_dashboard import policy from openstack_dashboard.usage import quotas from openstack_dashboard.utils import filters LOG = logging.getLogger(__name__) -POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION", lambda p, r: True) - class AllocateIP(tables.LinkAction): name = "allocate" @@ -61,12 +59,12 @@ class AllocateIP(tables.LinkAction): self.classes = classes if api.base.is_service_enabled(request, "network"): - policy = (("network", "create_floatingip"),) + policy_rules = (("network", "create_floatingip"),) else: - policy = (("compute", "compute_extension:floating_ips"), - ("compute", "network:allocate_floating_ip"),) + policy_rules = (("compute", "compute_extension:floating_ips"), + ("compute", "network:allocate_floating_ip"),) - return POLICY_CHECK(policy, request) + return policy.check(policy_rules, request) class ReleaseIPs(tables.BatchAction): @@ -94,12 +92,12 @@ class ReleaseIPs(tables.BatchAction): def allowed(self, request, fip=None): if api.base.is_service_enabled(request, "network"): - policy = (("network", "delete_floatingip"),) + policy_rules = (("network", "delete_floatingip"),) else: - policy = (("compute", "compute_extension:floating_ips"), - ("compute", "network:release_floating_ip"),) + policy_rules = (("compute", "compute_extension:floating_ips"), + ("compute", "network:release_floating_ip"),) - return POLICY_CHECK(policy, request) + return policy.check(policy_rules, request) def action(self, request, obj_id): api.network.tenant_floating_ip_release(request, obj_id) @@ -114,12 +112,12 @@ class AssociateIP(tables.LinkAction): def allowed(self, request, fip): if api.base.is_service_enabled(request, "network"): - policy = (("network", "update_floatingip"),) + policy_rules = (("network", "update_floatingip"),) else: - policy = (("compute", "compute_extension:floating_ips"), - ("compute", "network:associate_floating_ip"),) + policy_rules = (("compute", "compute_extension:floating_ips"), + ("compute", "network:associate_floating_ip"),) - return not fip.port_id and POLICY_CHECK(policy, request) + return not fip.port_id and policy.check(policy_rules, request) def get_link_url(self, datum): base_url = reverse(self.url) @@ -136,12 +134,12 @@ class DisassociateIP(tables.Action): def allowed(self, request, fip): if api.base.is_service_enabled(request, "network"): - policy = (("network", "update_floatingip"),) + policy_rules = (("network", "update_floatingip"),) else: - policy = (("compute", "compute_extension:floating_ips"), - ("compute", "network:disassociate_floating_ip"),) + policy_rules = (("compute", "compute_extension:floating_ips"), + ("compute", "network:disassociate_floating_ip"),) - return fip.port_id and POLICY_CHECK(policy, request) + return fip.port_id and policy.check(policy_rules, request) def single(self, table, request, obj_id): try: diff --git a/openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py b/openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py index 19f4a8b93a..3d5f465ec2 100644 --- a/openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py +++ b/openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py @@ -26,10 +26,6 @@ from openstack_dashboard.usage import quotas from openstack_dashboard.utils import filters -POLICY_CHECK = getattr(settings, "POLICY_CHECK_FUNCTION", - lambda policy, request, target: True) - - class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction): @staticmethod @@ -51,11 +47,11 @@ class DeleteGroup(policy.PolicyTargetMixin, tables.DeleteAction): def allowed(self, request, security_group=None): policy_target = self.get_policy_target(request, security_group) if api.base.is_service_enabled(request, "network"): - policy = (("network", "delete_security_group"),) + policy_rules = (("network", "delete_security_group"),) else: - policy = (("compute", "compute_extension:security_groups"),) + policy_rules = (("compute", "compute_extension:security_groups"),) - if not POLICY_CHECK(policy, request, policy_target): + if not policy.check(policy_rules, request, policy_target): return False if not security_group: @@ -75,9 +71,9 @@ class CreateGroup(tables.LinkAction): def allowed(self, request, security_group=None): if api.base.is_service_enabled(request, "network"): - policy = (("network", "create_security_group"),) + policy_rules = (("network", "create_security_group"),) else: - policy = (("compute", "compute_extension:security_groups"),) + policy_rules = (("compute", "compute_extension:security_groups"),) usages = quotas.tenant_quota_usages(request) if usages['security_groups'].get('available', 1) <= 0: @@ -88,7 +84,7 @@ class CreateGroup(tables.LinkAction): self.verbose_name = _("Create Security Group") self.classes = [c for c in self.classes if c != "disabled"] - return POLICY_CHECK(policy, request, target={}) + return policy.check(policy_rules, request, target={}) class EditGroup(policy.PolicyTargetMixin, tables.LinkAction): @@ -101,11 +97,11 @@ class EditGroup(policy.PolicyTargetMixin, tables.LinkAction): def allowed(self, request, security_group=None): policy_target = self.get_policy_target(request, security_group) if api.base.is_service_enabled(request, "network"): - policy = (("network", "update_security_group"),) + policy_rules = (("network", "update_security_group"),) else: - policy = (("compute", "compute_extension:security_groups"),) + policy_rules = (("compute", "compute_extension:security_groups"),) - if not POLICY_CHECK(policy, request, policy_target): + if not policy.check(policy_rules, request, policy_target): return False if not security_group: @@ -122,11 +118,11 @@ class ManageRules(policy.PolicyTargetMixin, tables.LinkAction): def allowed(self, request, security_group=None): policy_target = self.get_policy_target(request, security_group) if api.base.is_service_enabled(request, "network"): - policy = (("network", "get_security_group"),) + policy_rules = (("network", "get_security_group"),) else: - policy = (("compute", "compute_extension:security_groups"),) + policy_rules = (("compute", "compute_extension:security_groups"),) - return POLICY_CHECK(policy, request, policy_target) + return policy.check(policy_rules, request, policy_target) class SecurityGroupsFilterAction(tables.FilterAction): @@ -161,11 +157,11 @@ class CreateRule(tables.LinkAction): def allowed(self, request, security_group_rule=None): if api.base.is_service_enabled(request, "network"): - policy = (("network", "create_security_group_rule"),) + policy_rules = (("network", "create_security_group_rule"),) else: - policy = (("compute", "compute_extension:security_groups"),) + policy_rules = (("compute", "compute_extension:security_groups"),) - return POLICY_CHECK(policy, request, target={}) + return policy.check(policy_rules, request, target={}) def get_link_url(self): return reverse(self.url, args=[self.table.kwargs['security_group_id']]) @@ -190,11 +186,11 @@ class DeleteRule(tables.DeleteAction): def allowed(self, request, security_group_rule=None): if api.base.is_service_enabled(request, "network"): - policy = (("network", "delete_security_group_rule"),) + policy_rules = (("network", "delete_security_group_rule"),) else: - policy = (("compute", "compute_extension:security_groups"),) + policy_rules = (("compute", "compute_extension:security_groups"),) - return POLICY_CHECK(policy, request, target={}) + return policy.check(policy_rules, request, target={}) def delete(self, request, obj_id): api.network.security_group_rule_delete(request, obj_id) diff --git a/openstack_dashboard/dashboards/project/instances/tables.py b/openstack_dashboard/dashboards/project/instances/tables.py index 606748118d..e81bfa402f 100644 --- a/openstack_dashboard/dashboards/project/instances/tables.py +++ b/openstack_dashboard/dashboards/project/instances/tables.py @@ -216,17 +216,16 @@ class TogglePause(tables.BatchAction): self.paused = instance.status == "PAUSED" if self.paused: self.current_present_action = UNPAUSE - policy = (("compute", "compute_extension:admin_actions:unpause"),) + policy_rules = ( + ("compute", "compute_extension:admin_actions:unpause"),) else: self.current_present_action = PAUSE - policy = (("compute", "compute_extension:admin_actions:pause"),) + policy_rules = ( + ("compute", "compute_extension:admin_actions:pause"),) - has_permission = True - policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None) - if policy_check: - has_permission = policy_check( - policy, request, - target={'project_id': getattr(instance, 'tenant_id', None)}) + has_permission = policy.check( + policy_rules, request, + target={'project_id': getattr(instance, 'tenant_id', None)}) return (has_permission and (instance.status in ACTIVE_STATES or self.paused) @@ -284,17 +283,16 @@ class ToggleSuspend(tables.BatchAction): self.suspended = instance.status == "SUSPENDED" if self.suspended: self.current_present_action = RESUME - policy = (("compute", "compute_extension:admin_actions:resume"),) + policy_rules = ( + ("compute", "compute_extension:admin_actions:resume"),) else: self.current_present_action = SUSPEND - policy = (("compute", "compute_extension:admin_actions:suspend"),) + policy_rules = ( + ("compute", "compute_extension:admin_actions:suspend"),) - has_permission = True - policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None) - if policy_check: - has_permission = policy_check( - policy, request, - target={'project_id': getattr(instance, 'tenant_id', None)}) + has_permission = policy.check( + policy_rules, request, + target={'project_id': getattr(instance, 'tenant_id', None)}) return (has_permission and (instance.status in ACTIVE_STATES or self.suspended) @@ -351,17 +349,14 @@ class ToggleShelve(tables.BatchAction): self.shelved = instance.status == "SHELVED_OFFLOADED" if self.shelved: self.current_present_action = UNSHELVE - policy = (("compute", "compute_extension:unshelve"),) + policy_rules = (("compute", "compute_extension:unshelve"),) else: self.current_present_action = SHELVE - policy = (("compute", "compute_extension:shelve"),) + policy_rules = (("compute", "compute_extension:shelve"),) - has_permission = True - policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None) - if policy_check: - has_permission = policy_check( - policy, request, - target={'project_id': getattr(instance, 'tenant_id', None)}) + has_permission = policy.check( + policy_rules, request, + target={'project_id': getattr(instance, 'tenant_id', None)}) return (has_permission and (instance.status in ACTIVE_STATES or self.shelved) diff --git a/openstack_dashboard/dashboards/project/network_topology/utils.py b/openstack_dashboard/dashboards/project/network_topology/utils.py index d869c6974c..74931ced4d 100644 --- a/openstack_dashboard/dashboards/project/network_topology/utils.py +++ b/openstack_dashboard/dashboards/project/network_topology/utils.py @@ -13,19 +13,10 @@ from django.conf import settings from openstack_dashboard.api import base +from openstack_dashboard import policy from openstack_dashboard.usage import quotas -def _has_permission(request, policy): - has_permission = True - policy_check = getattr(settings, "POLICY_CHECK_FUNCTION", None) - - if policy_check: - has_permission = policy_check(policy, request) - - return has_permission - - def _quota_exceeded(request, quota): usages = quotas.tenant_quota_usages(request) available = usages.get(quota, {}).get('available', 1) @@ -39,15 +30,15 @@ def get_context(request, context=None): network_config = getattr(settings, 'OPENSTACK_NEUTRON_NETWORK', {}) - context['launch_instance_allowed'] = _has_permission( - request, (("compute", "compute:create"),)) + context['launch_instance_allowed'] = policy.check( + (("compute", "compute:create"),), request) context['instance_quota_exceeded'] = _quota_exceeded(request, 'instances') - context['create_network_allowed'] = _has_permission( - request, (("network", "create_network"),)) + context['create_network_allowed'] = policy.check( + (("network", "create_network"),), request) context['network_quota_exceeded'] = _quota_exceeded(request, 'networks') context['create_router_allowed'] = ( network_config.get('enable_router', True) and - _has_permission(request, (("network", "create_router"),))) + policy.check((("network", "create_router"),), request)) context['router_quota_exceeded'] = _quota_exceeded(request, 'routers') context['console_type'] = getattr(settings, 'CONSOLE_TYPE', 'AUTO') context['show_ng_launch'] = (