X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=54fd9d23b92f15c07a4f798ec70fc631cb3040e2;hb=f2282434e40e06365e0fdd3f9bc273a793f41235;hp=31ba051aab51682019b41d1095f0d67efd46628b;hpb=6fbad04fa3db515d73f2b6a298b376c7ff275521;p=sfa.git

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 31ba051a..54fd9d23 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -225,9 +225,12 @@ class Auth:
         @param name human readable name to test  
         """
         object_hrn = self.object_gid.get_hrn()
-        if object_hrn == name:
-            return
-        if name.startswith(object_hrn + "."):
+	#strname = str(name).strip("['']")
+	if object_hrn == name:
+        #if object_hrn == strname:
+            return 
+        if name.startswith(object_hrn + ".") :
+        #if strname.startswith((object_hrn + ".")) is True:
             return
         #if name.startswith(get_authority(name)):
             #return
@@ -239,18 +242,22 @@ class Auth:
         Given a user credential and a record, determine what set of rights the
         user should have to that record.
         
-        This is intended to replace determine_rights() and
+        This is intended to replace determine_user_rights() and
         verify_cancreate_credential()
         """
 
         rl = Rights()
         type = reg_record.type
 
+        logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
 
-        if type=='slice':
-            researchers = reg_record.get('researcher',[])
-            pis = reg_record.get('PI',[])
-            if (caller_hrn in researchers + pis):
+        if type == 'slice':
+            # researchers in the slice are in the DB as-is
+            researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+            # locating PIs attached to that slice
+            slice_pis=reg_record.get_pis()
+            pi_hrns = [ user.hrn for user in slice_pis ]
+            if (caller_hrn in researcher_hrns + pi_hrns):
                 rl.add('refresh')
                 rl.add('embed')
                 rl.add('bind')
@@ -258,18 +265,21 @@ class Auth:
                 rl.add('info')
 
         elif type == 'authority':
-            pis = reg_record.get('PI',[])
-            operators = reg_record.get('operator',[])
+            pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
             if (caller_hrn == self.config.SFA_INTERFACE_HRN):
                 rl.add('authority')
                 rl.add('sa')
                 rl.add('ma')
-            if (caller_hrn in pis):
+            if (caller_hrn in pi_hrns):
                 rl.add('authority')
                 rl.add('sa')
-            if (caller_hrn in operators):
-                rl.add('authority')
-                rl.add('ma')
+            # NOTE: for the PL implementation, this 'operators' list 
+            # amounted to users with 'tech' role in that site 
+            # it seems like this is not needed any longer, so for now I just drop that
+            # operator_hrns = reg_record.get('operator',[])
+            # if (caller_hrn in operator_hrns):
+            #    rl.add('authority')
+            #    rl.add('ma')
 
         elif type == 'user':
             rl.add('refresh')