Fix FWaaS create/update policy with non-admin
Creating and updating a shared policy is forbidden for non admin user. This patch makes sure the 'shared' attribute is disabled, and not added to the request body of the update request, so the request will not fail in neutron. Change-Id: Icefd45cac7ba990a3c6d76f40476d2eb3ccf4487
This commit is contained in:
parent
a767cef2ad
commit
b86116ee38
@ -17,9 +17,11 @@
|
|||||||
|
|
||||||
"create_firewall_policy": "",
|
"create_firewall_policy": "",
|
||||||
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
|
"get_firewall_policy": "rule:admin_or_owner or rule:shared_firewall_policies",
|
||||||
"create_firewall_policy:shared": "rule:admin_or_owner",
|
|
||||||
"update_firewall_policy": "rule:admin_or_owner",
|
"update_firewall_policy": "rule:admin_or_owner",
|
||||||
"delete_firewall_policy": "rule:admin_or_owner",
|
"delete_firewall_policy": "rule:admin_or_owner",
|
||||||
|
"create_firewall_policy:shared": "rule:admin_only",
|
||||||
|
"update_firewall_policy:shared": "rule:admin_only",
|
||||||
|
"delete_firewall_policy:shared": "rule:admin_only",
|
||||||
|
|
||||||
"insert_rule": "rule:admin_or_owner",
|
"insert_rule": "rule:admin_or_owner",
|
||||||
"remove_rule": "rule:admin_or_owner",
|
"remove_rule": "rule:admin_or_owner",
|
||||||
|
@ -131,9 +131,29 @@ class UpdatePolicy(forms.SelfHandlingForm):
|
|||||||
|
|
||||||
failure_url = 'horizon:project:firewalls:index'
|
failure_url = 'horizon:project:firewalls:index'
|
||||||
|
|
||||||
|
def __init__(self, request, *args, **kwargs):
|
||||||
|
super(UpdatePolicy, self).__init__(request, *args, **kwargs)
|
||||||
|
# Only admin user can update the 'shared' attribute
|
||||||
|
self.ignore_shared = False
|
||||||
|
if not policy.check((("neutron-fwaas",
|
||||||
|
"update_firewall_policy:shared"),),
|
||||||
|
request):
|
||||||
|
self.fields['shared'].widget = forms.CheckboxInput(
|
||||||
|
attrs={'readonly': 'readonly', 'disabled': 'disabled'})
|
||||||
|
self.fields['shared'].help_text = _(
|
||||||
|
'Non admin users are not allowed to set the shared property '
|
||||||
|
'of the policy.')
|
||||||
|
self.ignore_shared = True
|
||||||
|
|
||||||
def handle(self, request, context):
|
def handle(self, request, context):
|
||||||
policy_id = self.initial['policy_id']
|
policy_id = self.initial['policy_id']
|
||||||
name_or_id = context.get('name') or policy_id
|
name_or_id = context.get('name') or policy_id
|
||||||
|
|
||||||
|
# Remove 'shared' from the context if the user is not allowed to
|
||||||
|
# change this field
|
||||||
|
if self.ignore_shared and 'shared' in context:
|
||||||
|
del context['shared']
|
||||||
|
|
||||||
try:
|
try:
|
||||||
policy = api_fwaas.policy_update(request, policy_id, **context)
|
policy = api_fwaas.policy_update(request, policy_id, **context)
|
||||||
msg = _('Policy %s was successfully updated.') % name_or_id
|
msg = _('Policy %s was successfully updated.') % name_or_id
|
||||||
|
@ -292,6 +292,18 @@ class AddPolicyAction(workflows.Action):
|
|||||||
def __init__(self, request, *args, **kwargs):
|
def __init__(self, request, *args, **kwargs):
|
||||||
super(AddPolicyAction, self).__init__(request, *args, **kwargs)
|
super(AddPolicyAction, self).__init__(request, *args, **kwargs)
|
||||||
|
|
||||||
|
# Only admin user can update the 'shared' attribute
|
||||||
|
self.ignore_shared = False
|
||||||
|
if not policy.check((("neutron-fwaas",
|
||||||
|
"create_firewall_policy:shared"),),
|
||||||
|
request):
|
||||||
|
self.fields['shared'].widget = forms.CheckboxInput(
|
||||||
|
attrs={'readonly': 'readonly', 'disabled': 'disabled'})
|
||||||
|
self.fields['shared'].help_text = _(
|
||||||
|
'Non admin users are not allowed to set the shared property '
|
||||||
|
'of the policy.')
|
||||||
|
self.ignore_shared = True
|
||||||
|
|
||||||
class Meta(object):
|
class Meta(object):
|
||||||
name = _("Policy")
|
name = _("Policy")
|
||||||
permissions = ('openstack.services.network',)
|
permissions = ('openstack.services.network',)
|
||||||
|
Loading…
Reference in New Issue
Block a user