X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=geni%2Futil%2Fauth.py;h=6ec5dacd01afa656137d2a1b6b5b597b6cfe9ce2;hb=1558d5577c91788ef01eab10f6dfadef7c51b511;hp=48c39221e5be8e49723311f8407ac18d7a9fe7a0;hpb=39f550455dfb790ada7d04b3aa1cc48ebb127809;p=sfa.git

diff --git a/geni/util/auth.py b/geni/util/auth.py
index 48c39221..6ec5dacd 100644
--- a/geni/util/auth.py
+++ b/geni/util/auth.py
@@ -141,12 +141,52 @@ class Auth:
         if name.startswith(object_hrn + "."):
             return
         raise PermissionError(name)
-  
+
+    def determine_user_rights(self, src_cred, record):
+        """
+        Given a user credential and a record, determine what set of rights the
+        user should have to that record.
+
+        This is intended to replace determine_rights() and
+        verify_cancreate_credential()
+        """
+
+        type = record.get_type()
+        cred_object_hrn = src_cred.get_gid_object().get_hrn()
+
+        rl = RightList()
+
+        if type=="slice":
+            researchers = record.get_geni_info().get("researcher", [])
+            if (cred_object_hrn in researchers):
+                rl.add("refresh")
+                rl.add("embed")
+                rl.add("bind")
+                rl.add("control")
+                rl.add("info")
+
+        elif type == "authority":
+            pis = record.get_geni_info().get("pi", [])
+            operators = record.get_geni_info().get("operator", [])
+            if (cred_object_hrn in pis):
+                rl.add("sa")
+            if (cred_object_hrn in operators):
+                rl.add("ma")
+            if (cred_object_hrn in pis) or (cred_object_hrn in operators):
+                rl.add("authority")
+
+        elif type == "user":
+            rl.add("refresh")
+            rl.add("resolve")
+            rl.add("info")
+
+        return rl
+
     def verify_cancreate_credential(self, src_cred, record):
         """
-        Verify that a user can retrive a particular type of credential. 
+        Verify that a user can retrive a particular type of credential.
         For slices, the user must be on the researcher list. For SA and
-        MA the user must be on the pi and operator lists respectively 
+        MA the user must be on the pi and operator lists respectively
         """
 
         type = record.get_type()
@@ -171,18 +211,9 @@ class Auth:
         return ".".join(parts[-1:])
 
     def get_authority(self, hrn):
-
         parts = hrn.split(".")
         return ".".join(parts[:-1])
 
-    def get_auth_type(self, type):
-        if (type=="slice") or (type=="user") or (type=="sa"):
-            return "sa"
-        elif (type=="component") or (type=="ma"):
-            return "ma"
-        else:
-            raise UnknownGeniType(type)
-
     def hrn_to_pl_slicename(self, hrn):
         parts = hrn.split(".")
         return parts[-2] + "_" + parts[-1]