From 3b678740bc0feedb21870b06fbc15a5dfb0ffeec Mon Sep 17 00:00:00 2001
From: Scott Baker <smbaker@gmail.com>
Date: Mon, 9 Jun 2014 13:11:54 -0700
Subject: [PATCH] fix filtering of deployments when adding slivers

---
 planetstack/core/acl.py   | 28 +++++++++++++++++++++++++---
 planetstack/core/admin.py |  6 +++---
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/planetstack/core/acl.py b/planetstack/core/acl.py
index 7fc6a02..7856414 100644
--- a/planetstack/core/acl.py
+++ b/planetstack/core/acl.py
@@ -1,5 +1,22 @@
 from fnmatch import fnmatch
 
+"""
+    A General-purpose ACL mechanism.
+
+    [allow | deny] <type_of_object> <text_pattern>
+
+    "allow all" and "deny all" are shorthand for allowing or denying all objects.
+    Lines are executed from top to bottom until a match was found, typical
+    iptables style. An implicit 'deny all' exists at the bottom of the list.
+
+    For example,
+    allow site Max Planck Institute
+    deny site Arizona
+    allow region US
+    deny user scott@onlab.us
+    allow user *@onlab.us
+"""
+
 class AccessControlList:
     def __init__(self, aclText=None):
         self.rules = []
@@ -42,17 +59,20 @@ class AccessControlList:
             lines.append( " ".join(rule) )
         return ";\n".join(lines)
 
-    def test(self, user):
+    def test(self, user, site=None):
         for rule in self.rules:
             if self.match_rule(rule, user):
                 return rule[0]
         return "deny"
 
-    def match_rule(self, rule, user):
+    def match_rule(self, rule, user, site=None):
         (action, object, pattern) = rule
 
+        if (site==None):
+            site = user.site
+
         if (object == "site"):
-            if fnmatch(user.site.name, pattern):
+            if fnmatch(site.name, pattern):
                 return True
         elif (object == "user"):
             if fnmatch(user.email, pattern):
@@ -64,6 +84,8 @@ class AccessControlList:
 
 
 if __name__ == '__main__':
+    # self-test
+
     class fakesite:
         def __init__(self, siteName):
             self.name = siteName
diff --git a/planetstack/core/admin.py b/planetstack/core/admin.py
index 6fe9095..8bf7976 100644
--- a/planetstack/core/admin.py
+++ b/planetstack/core/admin.py
@@ -232,10 +232,10 @@ class SliverInline(PlStackTabularInline):
         return Sliver.select_by_user(request.user)
 
     def formfield_for_foreignkey(self, db_field, request=None, **kwargs):
-        field = super(SliverInline, self).formfield_for_foreignkey(db_field, request, **kwargs)
-
         if db_field.name == 'deploymentNetwork':
-           kwargs['queryset'] = Deployment.select_by_user(request.user)
+           kwargs['queryset'] = Deployment.select_by_acl(request.user)
+
+        field = super(SliverInline, self).formfield_for_foreignkey(db_field, request, **kwargs)
 
         return field
 
-- 
2.43.0