From dcc6f482920ecb0762646729200323408cce436f Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr>
Date: Thu, 25 Nov 2010 16:06:28 +0100
Subject: [PATCH] permission checking on node tags factorized in
 Node.caller_may_write_tag

---
 PLC/AuthorizeHelpers.py      | 17 +++++++++++++++++
 PLC/Methods/AddNodeTag.py    | 14 +-------------
 PLC/Methods/DeleteNodeTag.py | 11 +----------
 PLC/Methods/UpdateNodeTag.py | 12 +-----------
 4 files changed, 20 insertions(+), 34 deletions(-)

diff --git a/PLC/AuthorizeHelpers.py b/PLC/AuthorizeHelpers.py
index 9b77238..5651c10 100644
--- a/PLC/AuthorizeHelpers.py
+++ b/PLC/AuthorizeHelpers.py
@@ -77,6 +77,7 @@ class AuthorizeHelpers:
             site=Sites(api,[node['site_id']])[0]
             return AuthorizeHelpers.person_in_site (api, person, site)
         except:
+            import traceback
             return False
 
     # does the slice belong to the site that the (pi) user is in ?
@@ -84,3 +85,19 @@ class AuthorizeHelpers:
     def slice_belongs_to_pi (api, slice, pi):
         return slice['site_id'] in pi['site_ids']
 
+
+# authorization method - check if a given caller can set tag on this object
+# called in {Add,Update,Delete}NodeTags methods and in the accessors factory
+def caller_may_write_node_tag (node, api, caller, tag_type):
+    if 'admin' in caller['roles']:
+        pass
+    elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
+        raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
+    elif AuthorizeHelpers.node_belongs_to_person (api, node, caller):
+        pass
+    else:
+        raise PLCPermissionDenied, "Writing node tag: must belong in the same site as %s"%\
+            (node['hostname'])
+
+setattr(Node,'caller_may_write_tag',caller_may_write_node_tag)
+        
diff --git a/PLC/Methods/AddNodeTag.py b/PLC/Methods/AddNodeTag.py
index af593f1..d885cac 100644
--- a/PLC/Methods/AddNodeTag.py
+++ b/PLC/Methods/AddNodeTag.py
@@ -11,8 +11,6 @@ from PLC.Nodes import Node, Nodes
 from PLC.TagTypes import TagType, TagTypes
 from PLC.NodeTags import NodeTag, NodeTags
 
-from PLC.AuthorizeHelpers import AuthorizeHelpers
-
 class AddNodeTag(Method):
     """
     Sets the specified tag for the specified node
@@ -60,18 +58,8 @@ class AddNodeTag(Method):
             raise PLCInvalidArgument, "Node %d already has tag %d"%(node['node_id'],
                                                                     tag_type['tag_type_id'])
 
-
         # check authorizations
-        if 'admin' in self.caller['roles']:
-            pass
-        elif not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
-            raise PLCPermissionDenied, "%s, forbidden tag %s (%s)"%(self.name,tag_type['tagname'],self.caller['email'])
-        elif AuthorizeHelpers.node_belongs_to_person (self.api, node, self.caller):
-            pass
-        else:
-            raise PLCPermissionDenied, "%s: caller %r must belong in the same site as subject node %s"%\
-                (self.name,self.caller,node['hostname'])
-
+        node.caller_may_write_tag(self.api,self.caller,tag_type)
 
         node_tag = NodeTag(self.api)
         node_tag['node_id'] = node['node_id']
diff --git a/PLC/Methods/DeleteNodeTag.py b/PLC/Methods/DeleteNodeTag.py
index 019670c..2afa446 100644
--- a/PLC/Methods/DeleteNodeTag.py
+++ b/PLC/Methods/DeleteNodeTag.py
@@ -12,8 +12,6 @@ from PLC.Nodes import Node, Nodes
 from PLC.TagTypes import TagType, TagTypes
 from PLC.NodeTags import NodeTag, NodeTags
 
-from PLC.AuthorizeHelpers import AuthorizeHelpers
-
 class DeleteNodeTag(Method):
     """
     Deletes the specified node tag
@@ -49,14 +47,7 @@ class DeleteNodeTag(Method):
         node=nodes[0]
 
         # check authorizations
-        if 'admin' in self.caller['roles']:
-            pass
-        elif not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
-            raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
-        elif AuthorizeHelpers.node_belongs_to_person (self.api, node, self.caller):
-            pass
-        else:
-            raise PLCPermissionDenied, "%s: you must belong in the same site as subject node"%self.name
+        node.caller_may_write_tag(self.api,self.caller,tag_type)
 
         node_tag.delete()
         self.object_ids = [node_tag['node_tag_id']]
diff --git a/PLC/Methods/UpdateNodeTag.py b/PLC/Methods/UpdateNodeTag.py
index c3b4e28..8fd0c88 100644
--- a/PLC/Methods/UpdateNodeTag.py
+++ b/PLC/Methods/UpdateNodeTag.py
@@ -12,8 +12,6 @@ from PLC.Nodes import Node, Nodes
 from PLC.TagTypes import TagType, TagTypes
 from PLC.NodeTags import NodeTag, NodeTags
 
-from PLC.AuthorizeHelpers import AuthorizeHelpers
-
 class UpdateNodeTag(Method):
     """
     Updates the value of an existing node tag
@@ -50,15 +48,7 @@ class UpdateNodeTag(Method):
         node=nodes[0]
 
         # check authorizations
-        if 'admin' in self.caller['roles']:
-            pass
-        elif not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
-            raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
-        elif AuthorizeHelpers.node_belongs_to_person (self.api, node, self.caller):
-            pass
-        else:
-            raise PLCPermissionDenied, "%s: you must belong in the same site as subject node"%self.name
-
+        node.caller_may_write_tag(self.api,self.caller,tag_type)
 
         node_tag['value'] = value
         node_tag.sync()
-- 
2.43.0