From: Tony Mack <tmack@paris.CS.Princeton.EDU>
Date: Fri, 10 May 2013 12:22:44 +0000 (-0400)
Subject: role base filtering for main admin pages
X-Git-Tag: 1.0~61^2
X-Git-Url: http://git.onelab.eu/?p=plstackapi.git;a=commitdiff_plain;h=0406283b933e66188b997e3a407bf5481e52364d

role base filtering for main admin pages
---

diff --git a/plstackapi/core/admin.py b/plstackapi/core/admin.py
index 2ddc73b..422ff4b 100644
--- a/plstackapi/core/admin.py
+++ b/plstackapi/core/admin.py
@@ -144,6 +144,17 @@ class SiteAdmin(OSModelAdmin):
     inlines = [NodeInline,]
     search_fields = ['name']
 
+    def queryset(self, request):
+        # admins can see all keys. Users can only see sites they belong to.
+        qs = super(SiteAdmin, self).queryset(request)
+        if not request.user.is_admin:
+            valid_sites = [request.user.site.login_base]
+            roles = request.user.get_roles()
+            for tenant_list in roles.values():
+                valid_sites.extend(tenant_list)
+            qs = qs.filter(login_base__in=valid_sites)
+        return qs
+
     def get_formsets(self, request, obj=None):
         for inline in self.get_inline_instances(request, obj):
             # hide MyInline in the add view
@@ -161,6 +172,20 @@ class SitePrivilegeAdmin(PlanetStackBaseAdmin):
     ]
     list_display = ('user', 'site', 'role')
 
+    def queryset(self, request):
+        # admins can see all privileges. Users can only see privileges at sites
+        # where they have the admin role.
+        qs = super(SitePrivilegeAdmin, self).queryset(request)
+        if not request.user.is_admin:
+            roles = request.user.get_roles()
+            tenants = []
+            for (role, tenant_list) in roles:
+                if role == 'admin':
+                    tenants.extend(tenant_list)
+            valid_sites = Sites.objects.filter(login_base__in=tenants)    
+            qs = qs.filter(site__in=valid_sites)
+        return qs
+
     def save_model(self, request, obj, form, change):
         # update openstack connection to use this site/tenant   
         auth = request.session.get('auth', {})
@@ -194,6 +219,17 @@ class SliceAdmin(OSModelAdmin):
     list_display = ('name', 'site','serviceClass', 'slice_url')
     inlines = [SliverInline]
 
+    def queryset(self, request):
+        # admins can see all keys. Users can only see slices they belong to.
+        qs = super(SliceAdmin, self).queryset(request)
+        if not request.user.is_admin:
+            valid_slices = []
+            roles = request.user.get_roles()
+            for tenant_list in roles.values():
+                valid_slices.extend(tenant_list)
+            qs = qs.filter(name__in=valid_slices)
+        return qs
+
     def get_formsets(self, request, obj=None):
         for inline in self.get_inline_instances(request, obj):
             # hide MyInline in the add view
@@ -218,6 +254,20 @@ class SliceMembershipAdmin(PlanetStackBaseAdmin):
     ]
     list_display = ('user', 'slice', 'role')
 
+    def queryset(self, request):
+        # admins can see all memberships. Users can only see memberships of
+        # slices where they have the admin role.
+        qs = super(SliceMembershipAdmin, self).queryset(request)
+        if not request.user.is_admin:
+            roles = request.user.get_roles()
+            tenants = []
+            for (role, tenant_list) in roles:
+                if role == 'admin':
+                    tenants.extend(tenant_list)
+            valid_slices = Slice.objects.filter(name__in=tenants)
+            qs = qs.filter(slice__in=valid_slices)
+        return qs
+
     def save_model(self, request, obj, form, change):
         # update openstack connection to use this site/tenant
         auth = request.session.get('auth', {})
@@ -258,6 +308,19 @@ class SliverAdmin(PlanetStackBaseAdmin):
     ]
     list_display = ['ip', 'instance_name', 'slice', 'numberCores', 'image', 'key', 'node', 'deploymentNetwork']
 
+    def queryset(self, request):
+        # admins can see all slivers. Users can only see slivers of 
+        # the slices they belong to.
+        qs = super(SliverAdmin, self).queryset(request)
+        if not request.user.is_admin:
+            tenants = []
+            roles = request.user.get_roles()
+            for tenant_list in roles.values():
+                tenants.extend(tenant_list)
+            valid_slices = Slice.objects.filter(name__in=tenants)
+            qs = qs.filter(slice__in=valid_slices)
+        return qs
+
     def get_formsets(self, request, obj=None):
         # make some fields read only if we are updating an existing record
         if obj == None:
diff --git a/plstackapi/core/models/pluser.py b/plstackapi/core/models/pluser.py
index d51572b..8d09310 100644
--- a/plstackapi/core/models/pluser.py
+++ b/plstackapi/core/models/pluser.py
@@ -102,9 +102,9 @@ class PLUser(AbstractBaseUser):
         slice_memberships = SliceMembership.objects.filter(user=self)
         roles = defaultdict(list)
         for site_privilege in site_privileges:
-            roles[site_privilege.site.login_base].append(site_privilege.role.role_type)
+            roles[site_privilege.role.role_type].append(site_privilege.site.login_base)
         for slice_membership in slice_memberships:
-            roles[slice_membership.slice.name].append(slice_membership.role.role_type)
+            roles[slice_membership.role.role_type].append(slice_membership.slice.name)
         return roles   
 
     def save(self, *args, **kwds):