X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Fauth.py;h=ebee5896a9d2f81c6042c2c4c57fcf6271ca1273;hb=0a1ec382afaade5edf87298cba5431b864b21a5d;hp=57583e46b8ac16a2f8220d842cf856902aee5190;hpb=ec74e6b27d2095b9ff8d5dd7b499fb58dadd127c;p=sfa.git diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py index 57583e46..ebee5896 100644 --- a/sfa/trust/auth.py +++ b/sfa/trust/auth.py @@ -203,34 +203,21 @@ class Auth: raise PermissionError(name) - def determine_user_rights(self, src_cred, record): + def determine_user_rights(self, caller_hrn, record): """ Given a user credential and a record, determine what set of rights the user should have to that record. - - Src_cred can be None when obtaining a user credential, but should be - set to a valid user credential when obtaining a slice or authority - credential. - + This is intended to replace determine_rights() and verify_cancreate_credential() """ - type = record['type'] - if src_cred: - cred_object_hrn = src_cred.get_gid_object().get_hrn() - else: - # supplying src_cred==None is only valid when obtaining user - # credentials. - #assert(type == "user") - - cred_object_hrn = None - rl = RightList() + type = record['type'] if type=="slice": researchers = record.get("researcher", []) - if (cred_object_hrn in researchers): + if (caller_hrn in researchers): rl.add("refresh") rl.add("embed") rl.add("bind") @@ -238,11 +225,13 @@ class Auth: rl.add("info") elif type == "authority": - pis = record.get("pi", []) + pis = record.get("PI", []) operators = record.get("operator", []) - if (cred_object_hrn in pis): + if (caller_hrn == self.config.SFA_INTERFACE_HRN): + rl.add("authority,sa,ma",) + if (caller_hrn in pis): rl.add("authority,sa") - if (cred_object_hrn in operators): + if (caller_hrn in operators): rl.add("authority,ma") elif type == "user":