From: Thierry Parmentelat <thierry.parmentelat@sophia.inria.fr>
Date: Tue, 30 Nov 2010 18:17:12 +0000 (+0100)
Subject: propagate caller in more places
X-Git-Tag: plcapi-5.0-19~5
X-Git-Url: http://git.onelab.eu/?p=plcapi.git;a=commitdiff_plain;h=19faf41bfcf949a1848d8646e852f862308b4af8

propagate caller in more places
node can change its own tag
protect for when caller does not have 'roles'
---

diff --git a/PLC/AuthorizeHelpers.py b/PLC/AuthorizeHelpers.py
index 4e7483d..2f216f6 100644
--- a/PLC/AuthorizeHelpers.py
+++ b/PLC/AuthorizeHelpers.py
@@ -87,18 +87,24 @@ class AuthorizeHelpers:
     def slice_belongs_to_pi (api, slice, pi):
         return slice['site_id'] in pi['site_ids']
 
+    @staticmethod
+    def caller_is_node (api, caller, node):
+        return 'node_id' in caller and caller['node_id']==node['node_id']
+
 
 # authorization methods - check if a given caller can set tag on this object
 # called in {Add,Update,Delete}<Class>Tags methods, and in the accessors created in factory
 # attach these as <Class>.caller_may_write_tag so accessors can find it
 
 def caller_may_write_node_tag (node, api, caller, tag_type):
-    if 'admin' in caller['roles']:
+    if 'roles' in caller and 'admin' in caller['roles']:
         pass
     elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
         raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
     elif AuthorizeHelpers.node_belongs_to_person (api, node, caller):
         pass
+    elif AuthorizeHelpers.caller_is_node (api, caller, node):
+        pass
     else:
         raise PLCPermissionDenied, "Writing node tag: must belong in the same site as %s"%\
             (node['hostname'])
@@ -107,7 +113,7 @@ setattr(Node,'caller_may_write_tag',caller_may_write_node_tag)
         
 
 def caller_may_write_interface_tag (interface, api, caller, tag_type):
-    if 'admin' in caller['roles']:
+    if 'roles' in caller and 'admin' in caller['roles']:
         pass
     elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
         raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
@@ -121,7 +127,7 @@ setattr(Interface,'caller_may_write_tag',caller_may_write_interface_tag)
         
 
 def caller_may_write_site_tag (site, api, caller, tag_type):
-    if 'admin' in caller['roles']:
+    if 'roles' in caller and 'admin' in caller['roles']:
         pass
     elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
         raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
@@ -134,7 +140,7 @@ setattr(Site,'caller_may_write_tag',caller_may_write_site_tag)
 
 
 def caller_may_write_person_tag (person, api, caller, tag_type):
-    if 'admin' in caller['roles']:
+    if 'roles' in caller and 'admin' in caller['roles']:
         pass
     # user can change tags on self
     elif AuthorizeHelpers.person_may_access_person (api, caller, person):
@@ -147,7 +153,7 @@ setattr(Person,'caller_may_write_tag',caller_may_write_person_tag)
 
 def caller_may_write_slice_tag (slice, api, caller, tag_type, node_id_or_hostname=None, nodegroup_id_or_name=None):
     granted=False
-    if 'admin' in caller['roles']:
+    if 'roles' in caller and 'admin' in caller['roles']:
         granted=True
     # does caller have right role(s) ? this knows how to deal with caller being a node
     elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
diff --git a/PLC/Methods/GetNodeFlavour.py b/PLC/Methods/GetNodeFlavour.py
index a9d6817..92c0fc4 100644
--- a/PLC/Methods/GetNodeFlavour.py
+++ b/PLC/Methods/GetNodeFlavour.py
@@ -46,7 +46,7 @@ class GetNodeFlavour(Method):
         pldistro = GetNodePldistro (self.api,self.caller).call(auth, node_id)
         if not pldistro:
             pldistro = self.api.config.PLC_FLAVOUR_NODE_PLDISTRO
-            SetNodePldistro(self.api).call(auth,node_id,pldistro)
+            SetNodePldistro(self.api,self.caller).call(auth,node_id,pldistro)
 
         # xxx would make sense to check the corresponding bootstrapfs is available
         return "%s-%s-%s"%(pldistro,fcdistro,arch)
@@ -72,12 +72,12 @@ class GetNodeFlavour(Method):
         # if not set, use the global default and tag the node, in case the global default changes later on
         if not arch:
             arch = self.api.config.PLC_FLAVOUR_NODE_ARCH
-            SetNodeArch (self.api).call(auth,node_id,arch)
+            SetNodeArch (self.api,self.caller).call(auth,node_id,arch)
 
         fcdistro = GetNodeFcdistro (self.api,self.caller).call(auth, node_id)
         if not fcdistro:
             fcdistro = self.api.config.PLC_FLAVOUR_NODE_FCDISTRO
-            SetNodeFcdistro (self.api).call (auth, node_id, fcdistro)
+            SetNodeFcdistro (self.api,self.caller).call (auth, node_id, fcdistro)
 
         # xxx could use some sanity checking, and could provide fallbacks
         return { 'nodefamily' : self.nodefamily(auth,node_id, fcdistro, arch),