From b86116ee3891eab4487e01920ccbf2b4499d20cb Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Tue, 11 Jul 2017 14:23:06 +0300 Subject: [PATCH] Fix FWaaS create/update policy with non-admin Creating and updating a shared policy is forbidden for non admin user. This patch makes sure the 'shared' attribute is disabled, and not added to the request body of the update request, so the request will not fail in neutron. Change-Id: Icefd45cac7ba990a3c6d76f40476d2eb3ccf4487 --- etc/neutron-fwaas-policy.json | 4 +++- .../dashboards/project/firewalls/forms.py | 20 +++++++++++++++++++ .../dashboards/project/firewalls/workflows.py | 12 +++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/etc/neutron-fwaas-policy.json b/etc/neutron-fwaas-policy.json index 3458dad..ecd00ab 100644 --- a/etc/neutron-fwaas-policy.json +++ b/etc/neutron-fwaas-policy.json @@ -17,9 +17,11 @@ "create_firewall_policy": "", "get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies", - "create_firewall_policy:shared": "rule:admin_or_owner", "update_firewall_policy": "rule:admin_or_owner", "delete_firewall_policy": "rule:admin_or_owner", + "create_firewall_policy:shared": "rule:admin_only", + "update_firewall_policy:shared": "rule:admin_only", + "delete_firewall_policy:shared": "rule:admin_only", "insert_rule": "rule:admin_or_owner", "remove_rule": "rule:admin_or_owner", diff --git a/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py b/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py index 1d8a709..aff5211 100644 --- a/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py +++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py @@ -131,9 +131,29 @@ class UpdatePolicy(forms.SelfHandlingForm): failure_url = 'horizon:project:firewalls:index' + def __init__(self, request, *args, **kwargs): + super(UpdatePolicy, self).__init__(request, *args, **kwargs) + # Only admin user can update the 'shared' attribute + self.ignore_shared = False + if not policy.check((("neutron-fwaas", + "update_firewall_policy:shared"),), + request): + self.fields['shared'].widget = forms.CheckboxInput( + attrs={'readonly': 'readonly', 'disabled': 'disabled'}) + self.fields['shared'].help_text = _( + 'Non admin users are not allowed to set the shared property ' + 'of the policy.') + self.ignore_shared = True + def handle(self, request, context): policy_id = self.initial['policy_id'] name_or_id = context.get('name') or policy_id + + # Remove 'shared' from the context if the user is not allowed to + # change this field + if self.ignore_shared and 'shared' in context: + del context['shared'] + try: policy = api_fwaas.policy_update(request, policy_id, **context) msg = _('Policy %s was successfully updated.') % name_or_id diff --git a/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py b/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py index 72b72fa..d075fa5 100644 --- a/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py +++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py @@ -292,6 +292,18 @@ class AddPolicyAction(workflows.Action): def __init__(self, request, *args, **kwargs): super(AddPolicyAction, self).__init__(request, *args, **kwargs) + # Only admin user can update the 'shared' attribute + self.ignore_shared = False + if not policy.check((("neutron-fwaas", + "create_firewall_policy:shared"),), + request): + self.fields['shared'].widget = forms.CheckboxInput( + attrs={'readonly': 'readonly', 'disabled': 'disabled'}) + self.fields['shared'].help_text = _( + 'Non admin users are not allowed to set the shared property ' + 'of the policy.') + self.ignore_shared = True + class Meta(object): name = _("Policy") permissions = ('openstack.services.network',)