- if 'admin' not in self.caller['roles']:
- # this knows how to deal with self.caller being a node
- if not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
- raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
- # node callers: check the node is in the slice
- if isinstance(self.caller, Node):
- granted=AuthorizeHelpers.node_in_slice (self.api, self.caller, slice)
- else:
- if nodegroup_id_or_name:
- raise PLCPermissionDenied, "%s, cannot set slice tag on nodegroup"%self.name
- # try all roles to find a match
- granted=False
- for role in self.caller['roles']:
- if role=='pi':
- if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
- granted=True ; break
- if node_id_or_hostname is not None and \
- AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice):
- granted=True ; break
- elif role=='user':
- if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
- granted=True ; break
- elif role=='tech':
- if node_id_or_hostname is not None and \
- AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice):
- granted=True ; break
- if not granted:
- raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])