- if not isinstance(self.caller, Node):
- if ('admin' not in self.caller['roles']):
- if self.caller['person_id'] in slice['person_ids']:
- pass
- elif 'pi' not in self.caller['roles']:
- raise PLCPermissionDenied, "Not a member of the specified slice"
- elif slice['site_id'] not in self.caller['site_ids']:
- raise PLCPermissionDenied, "Specified slice not associated with any of your sites"
-
- if tag_type['min_role_id'] is not None and \
- min(self.caller['role_ids']) > tag_type['min_role_id']:
- raise PLCPermissionDenied, "Not allowed to set the specified slice attribute"
- else:
- ### make node's min_role_id == PI min_role_id
- node_role_id = 20
- if tag_type['min_role_id'] is not None and node_role_id > tag_type['min_role_id']:
- raise PLCPermissionDenied, "Not allowed to set the specified slice attribute"
+ # check authorizations
+ if 'admin' not in self.caller['roles']:
+ # this knows how to deal with self.caller being a node
+ if not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
+ raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
+ # node callers: check the node is in the slice
+ if isinstance(self.caller, Node):
+ granted=AuthorizeHelpers.node_in_slice (self.api, self.caller, slice)
+ else:
+ if nodegroup_id_or_name:
+ raise PLCPermissionDenied, "%s, cannot set slice tag on nodegroup"%self.name
+ # try all roles to find a match
+ granted=False
+ for role in self.caller['roles']:
+ if role=='pi':
+ if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
+ granted=True ; break
+ if node_id_or_hostname is not None and \
+ AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice):
+ granted=True ; break
+ elif role=='user':
+ if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
+ granted=True ; break
+ elif role=='tech':
+ if node_id_or_hostname is not None and \
+ AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice):
+ granted=True ; break
+ if not granted:
+ raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])