Merge "Remove db layer hard-code permission checks for security_group_default_rule_destroy"

2015-06-23 21:00:24 +00:00 · 2015-06-23 21:00:24 +00:00 · ca59f81ec1
parent 3b38ae4842 a4e6ccb5d0
commit ca59f81ec1
3 changed files with 8 additions and 1 deletions
--- a/nova/api/openstack/compute/contrib/security_group_default_rules.py
+++ b/nova/api/openstack/compute/contrib/security_group_default_rules.py
@ -88,6 +88,9 @@ class SecurityGroupDefaultRulesController(sg.SecurityGroupControllerBase):
    def delete(self, req, id):
        context = sg._authorize_context(req)
        authorize(context)
+        # NOTE(shaohe-feng): back-compatible with db layer hard-code
+        # admin permission checks.
+        nova_context.require_admin_context(context)

        try:
            id = self.security_group_api.validate_id(id)
--- a/nova/db/sqlalchemy/api.py
+++ b/nova/db/sqlalchemy/api.py
@ -4285,7 +4285,6 @@ def security_group_default_rule_get(context, security_group_rule_default_id):
    return result


-@require_admin_context
 def security_group_default_rule_destroy(context,
                                        security_group_rule_default_id):
    session = get_session()
--- a/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py
+++ b/nova/tests/unit/api/openstack/compute/contrib/test_security_group_default_rules.py
@ -337,6 +337,11 @@ class TestSecurityGroupDefaultRulesV2(test.TestCase):
        self.assertRaises(exception.AdminRequired, self.controller.create,
                          self.non_admin_req, sgr_dict)

+    def test_delete_security_group_default_rules_with_non_admin(self):
+        self.controller = self.controller_cls()
+        self.assertRaises(exception.AdminRequired,
+                          self.controller.delete, self.non_admin_req, 1)
+

 class SecurityGroupDefaultRulesPolicyEnforcementV21(test.NoDBTestCase):