From 37a1e40eb140922e88a1f74a32148b9dff76f886 Mon Sep 17 00:00:00 2001
From: Sapan Bhatia <sapanbhatia@boring3.CS.Princeton.EDU>
Date: Tue, 27 Jul 2010 10:33:39 -0400
Subject: [PATCH] Added Policy Classes for specifying access control policies
 to PLC tables. + Modified the Slices table to use these classes

---
 PLC/Slices.py | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/PLC/Slices.py b/PLC/Slices.py
index 59a592ba..1892cae9 100644
--- a/PLC/Slices.py
+++ b/PLC/Slices.py
@@ -14,6 +14,7 @@ from PLC.Nodes import Node
 from PLC.Persons import Person, Persons
 from PLC.SliceTags import SliceTag
 from PLC.Timestamp import Timestamp
+from PLC.SlicesPolicy import SlicesPolicy
 
 class Slice(Row):
     """
@@ -250,12 +251,61 @@ class Slice(Row):
 
 
 class Slices(Table):
+    def read_policy(self, api, caller, slice_filter, columns, expires):
+	""" 
+	Returns set of rows caller is allowed to touch
+	"""
+	
+	# If we are not admin, make sure to return only viewable
+        # slices.
+        if isinstance(caller, Person) and \
+           'admin' not in caller['roles']:
+            # Get slices that we are able to view
+            valid_slice_ids = caller['slice_ids']
+            if 'pi' in caller['roles'] and caller['site_ids']:
+                sites = Sites(self.api, caller['site_ids'])
+                for site in sites:
+                    valid_slice_ids += site['slice_ids']
+
+            if not valid_slice_ids:
+                return []
+
+            if slice_filter is None:
+                slice_filter = valid_slice_ids
+
+        # Must query at least slice_id (see below)
+        if return_fields is not None and 'slice_id' not in return_fields:
+            return_fields.append('slice_id')
+            added_fields = True
+        else:
+            added_fields = False
+
+        # Filter out slices that are not viewable
+        if isinstance(caller, Person) and \
+           'admin' not in caller['roles']:
+            slices = filter(lambda slice: slice['slice_id'] in valid_slice_ids, slices)
+
+        # Remove slice_id if not specified
+        if added_fields:
+            for slice in slices:
+                if 'slice_id' in slice:
+                    del slice['slice_id']
+	
+	return slices
+
     """
     Representation of row(s) from the slices table in the
     database.
     """
+    def __init__(self, api, caller, slice_filter = None, columns = None, expires = int(time.time())):
+	
+	### XXX Todo: Use pyaspects(?) if this doesn't get better soon
+
+	self.policy = SlicesPolicy(api, caller)
+	policy_filter = self.policy.incoming(slice_filter, columns, {'expires':expires})
+	slice_filter = policy_filter['row_filter']
+	columns = policy_filter['column_filter']
 
-    def __init__(self, api, slice_filter = None, columns = None, expires = int(time.time())):
         Table.__init__(self, api, Slice, columns)
 
         # the view that we're selecting upon: start with view_slices
-- 
2.47.0