From f27064ffb939f93e5f7c3b9912bdbe3e1939f15d Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 11 Oct 2018 08:56:44 +0300 Subject: [PATCH] Use authorize instead of enforce in policy the policy module was doing a manual check to see if the specific rule was actually part of the rules that the enforcer is using. oslo.policy already has a function that does just this, which is 'authorize'. That will check the registered rules and raise an exception if that's not fulfilled. Change-Id: I9f04f8b8770b15ac24f9f1cd57a58c7e98b24d48 --- neutron_lib/_policy.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/neutron_lib/_policy.py b/neutron_lib/_policy.py index 4c8b46e6a..bb40df012 100644 --- a/neutron_lib/_policy.py +++ b/neutron_lib/_policy.py @@ -57,9 +57,10 @@ def _check_rule(context, rule): init() # the target is user-self credentials = context.to_policy_values() - if rule not in _ROLE_ENFORCER.rules: + try: + return _ROLE_ENFORCER.authorize(rule, credentials, credentials) + except policy.PolicyNotRegistered: return False - return _ROLE_ENFORCER.enforce(rule, credentials, credentials) def check_is_admin(context):