From: Tony Mack <tmack@cs.princeton.edu>
Date: Thu, 31 Dec 2009 17:59:12 +0000 (+0000)
Subject: origin caller either be the acutall caller or a child of the caller
X-Git-Tag: sfa-0.9-7~41
X-Git-Url: http://git.onelab.eu/?a=commitdiff_plain;h=f3da2cc62325ad1fc482ec5b3f639dcf946ada23;p=sfa.git

origin caller either be the acutall caller or a child of the caller
---

diff --git a/sfa/methods/get_credential.py b/sfa/methods/get_credential.py
index 2ac75fea..742514c5 100644
--- a/sfa/methods/get_credential.py
+++ b/sfa/methods/get_credential.py
@@ -73,15 +73,18 @@ class get_credential(Method):
         self.api.fill_record_info(record)
 
         caller_hrn = self.api.auth.client_cred.get_gid_caller().get_hrn()
+        object_hrn = self.api.auth.client_cred.get_gid_object().get_hrn()
         rights = self.api.auth.determine_user_rights(caller_hrn, record)
+        # make sure caller has rights to this object
         if rights.is_empty():
-            raise PermissionError(self.api.auth.client_cred.get_gid_object().get_hrn() + " has no rights to " + record['name'])
-
-        # TODO: Check permission that self.client_cred can access the object
+            raise PermissionError(object_hrn + " has no rights to " + record['name'])
+        
+        # make sure origin caller is either the caller or a child of the caller
+        if not origin_hrn.startswith(caller_hrn):
+            raise PermissionError("origin caller (%s) is not a child of actual caller (%s)" % (origin_hrn, caller_hrn) 
 
         gid = record['gid']
         gid_object = GID(string=gid)
-
         new_cred = Credential(subject = gid_object.get_subject())
         new_cred.set_gid_caller(self.api.auth.client_gid)
         new_cred.set_gid_origin_caller(origin_caller_gid_object)