Tomas Jelinek has uploaded a new change for review. Change subject: engine: fix instance types permissions ......................................................................
engine: fix instance types permissions If the VM is created from instance type, the user needs to have either create instance permission on the specific instance type or the proper getActionType().getActionGroup() on it (either is OK). Same comes for image type. Change-Id: Ibf039b0ea2d4488e243416832703bfc6a55b7337 Signed-off-by: Tomas Jelinek <[email protected]> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java 1 file changed, 32 insertions(+), 11 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/97/26997/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java index 457fa7f..6459a57 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddVmCommand.java @@ -966,25 +966,25 @@ } } } - // if using instance type, need create instance - if (getInstanceType() != null) { - permissionList.add(new PermissionSubject(instanceTypeId, VdcObjectType.VmTemplate, ActionGroup.CREATE_INSTANCE)); - } - // if using image type, need create instance - if (getImageType() != null) { - permissionList.add(new PermissionSubject(imageTypeId, VdcObjectType.VmTemplate, ActionGroup.CREATE_INSTANCE)); - } + addPermissionSubjectForAdminLevelProperties(permissionList); return permissionList; } /** - * user need permission on each object used: template, instance type, image type.. - * for cluster: if instance type is used, create_instance is enough - * but if user has create_template he can choose to use instance type or template + * user need permission on each object used: template, instance type, image type. */ @Override protected boolean checkPermissions(final List<PermissionSubject> permSubjects) { + + if (instanceTypeId != null && !checkInstanceTypeImagePermissions(instanceTypeId)) { + return false; + } + + if (imageTypeId != null && !checkInstanceTypeImagePermissions(imageTypeId)) { + return false; + } + for (PermissionSubject permSubject : permSubjects) { // if user is using instance type, then create_instance on the cluster is enough if (permSubject.getObjectType() == VdcObjectType.VdsGroups && instanceTypeId != null) { @@ -1004,6 +1004,27 @@ return true; } + /** + * If using an instance type/image the user needs to have either CREATE_INSTANCE or the specific + * getActionType().getActionGroup() on the instance type/image + */ + private boolean checkInstanceTypeImagePermissions(Guid id) { + Collection<String> createInstanceMessages = new ArrayList<>(); + Collection<String> actionGroupMessages = new ArrayList<>(); + + PermissionSubject createInstanceSubject = new PermissionSubject(id, VdcObjectType.VmTemplate, ActionGroup.CREATE_INSTANCE); + PermissionSubject actionGroupSubject = new PermissionSubject(id, VdcObjectType.VmTemplate, getActionType().getActionGroup()); + + // it is enough if at least one of this two permissions are there + if (!checkSinglePermission(createInstanceSubject, createInstanceMessages) && + !checkSinglePermission(actionGroupSubject, actionGroupMessages)) { + getReturnValue().getCanDoActionMessages().addAll(actionGroupMessages); + return false; + } + + return true; + } + protected void addPermissionSubjectForAdminLevelProperties(List<PermissionSubject> permissionList) { VmStatic vmFromParams = getParameters().getVmStaticData(); -- To view, visit http://gerrit.ovirt.org/26997 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ibf039b0ea2d4488e243416832703bfc6a55b7337 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Tomas Jelinek <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
