From c2835a965f07502b33513822ce0b945ab9e65a4a Mon Sep 17 00:00:00 2001 From: Tony Mack Date: Tue, 28 May 2013 09:18:49 -0400 Subject: [PATCH] update filtering for non admins --- planetstack/core/admin.py | 150 ++++++++++++++++++++++++++++++++++---- 1 file changed, 135 insertions(+), 15 deletions(-) diff --git a/planetstack/core/admin.py b/planetstack/core/admin.py index 9c7cc54..d54387f 100644 --- a/planetstack/core/admin.py +++ b/planetstack/core/admin.py @@ -36,6 +36,7 @@ class SliverInline(admin.TabularInline): extra = 0 #readonly_fields = ['ip', 'instance_name', 'image'] readonly_fields = ['ip', 'instance_name'] + class SiteInline(admin.TabularInline): model = Site @@ -62,10 +63,54 @@ class SitePrivilegeInline(admin.TabularInline): model = SitePrivilege extra = 0 + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'site': + if not request.user.is_admin: + # only show sites where user is an admin or pi + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + login_bases = [site_privilege.site.login_base for site_privilege in site_privileges] + sites = Site.objects.filter(login_base__in=login_bases) + kwargs['queryset'] = sites + + if db_field.name == 'user': + if not request.user.is_admin: + # only show users from sites where caller has admin or pi role + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + sites = [site_privilege.site for site_privilege in site_privileges] + site_privileges = SitePrivilege.objects.filter(site__in=sites) + emails = [site_privilege.user.email for site_privilege in site_privileges] + users = User.objects.filter(email__in=emails) + kwargs['queryset'] = users + return super(SitePrivilegeInline, self).formfield_for_foreignkey(db_field, request, **kwargs) + class SliceMembershipInline(admin.TabularInline): model = SliceMembership extra = 0 + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'slice': + if not request.user.is_admin: + # only show slices at sites where caller has admin or pi role + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + sites = [site_privilege.site for site_privilege in site_privileges] + slices = Slice.objects.filter(site__in=sites) + kwargs['queryset'] = slices + if db_field.name == 'user': + if not request.user.is_admin: + # only show users from sites where caller has admin or pi role + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + sites = [site_privilege.site for site_privilege in site_privileges] + site_privileges = SitePrivilege.objects.filter(site__in=sites) + emails = [site_privilege.user.email for site_privilege in site_privileges] + users = User.objects.filter(email__in=emails) + kwargs['queryset'] = list(users) + + return super(SliceMembershipInline, self).formfield_for_foreignkey(db_field, request, **kwargs) + class SliceTagInline(admin.TabularInline): model = SliceTag extra = 0 @@ -188,18 +233,39 @@ class SitePrivilegeAdmin(PlanetStackBaseAdmin): ] list_display = ('user', 'site', 'role') + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'site': + if not request.user.is_admin: + # only show sites where user is an admin or pi + sites = set() + for site_privilege in SitePrivilege.objects.filer(user=request.user): + if site_privilege.role.role_type in ['admin', 'pi']: + sites.add(site_privilege.site) + kwargs['queryset'] = Site.objects.filter(site__in=list(sites)) + + if db_field.name == 'user': + if not request.user.is_admin: + # only show users from sites where caller has admin or pi role + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + sites = [site_privilege.site for site_privilege in site_privileges] + site_privileges = SitePrivilege.objects.filter(site__in=sites) + emails = [site_privilege.user.email for site_privilege in site_privileges] + users = User.objects.filter(email__in=emails) + kwargs['queryset'] = users + + return super(SitePrivilegeAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs) + def queryset(self, request): # admins can see all privileges. Users can only see privileges at sites - # where they have the admin role. + # where they have the admin role or pi role. qs = super(SitePrivilegeAdmin, self).queryset(request) if not request.user.is_admin: - roles = request.user.get_roles() - tenants = [] - for (role, tenant_list) in roles: - if role == 'admin': - tenants.extend(tenant_list) - valid_sites = Sites.objects.filter(login_base__in=tenants) - qs = qs.filter(site__in=valid_sites) + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + login_bases = [site_privilege.site.login_base for site_privilege in site_privileges] + sites = Site.objects.filter(login_base__in=login_bases) + qs = qs.filter(site__in=sites) return qs def save_model(self, request, obj, form, change): @@ -235,6 +301,18 @@ class SliceAdmin(OSModelAdmin): list_display = ('name', 'site','serviceClass', 'slice_url') inlines = [SliverInline, SliceMembershipInline, SliceTagInline] + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'site': + if not request.user.is_admin: + # only show sites where user is a pi or admin + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + login_bases = [site_privilege.site.login_base for site_privilege in site_privileges] + sites = Site.objects.filter(login_base__in=login_bases) + kwargs['queryset'] = sites + + return super(SliceAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs) + def queryset(self, request): # admins can see all keys. Users can only see slices they belong to. qs = super(SliceAdmin, self).queryset(request) @@ -270,18 +348,40 @@ class SliceMembershipAdmin(PlanetStackBaseAdmin): ] list_display = ('user', 'slice', 'role') + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'slice': + if not request.user.is_admin: + # only show slices at sites where caller has admin or pi role + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + sites = [site_privilege.site for site_privilege in site_privileges] + slices = Slice.objects.filter(site__in=sites) + kwargs['queryset'] = slices + + if db_field.name == 'user': + if not request.user.is_admin: + # only show users from sites where caller has admin or pi role + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + sites = [site_privilege.site for site_privilege in site_privileges] + site_privileges = SitePrivilege.objects.filter(site__in=sites) + emails = [site_privilege.user.email for site_privilege in site_privileges] + users = User.objects.filter(email__in=emails) + kwargs['queryset'] = users + + return super(SliceMembershipAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs) + def queryset(self, request): # admins can see all memberships. Users can only see memberships of # slices where they have the admin role. qs = super(SliceMembershipAdmin, self).queryset(request) if not request.user.is_admin: - roles = request.user.get_roles() - tenants = [] - for (role, tenant_list) in roles: - if role == 'admin': - tenants.extend(tenant_list) - valid_slices = Slice.objects.filter(name__in=tenants) - qs = qs.filter(slice__in=valid_slices) + roles = Role.objects.filter(role_type__in=['admin', 'pi']) + site_privileges = SitePrivilege.objects.filter(user=request.user).filter(role__in=roles) + login_bases = [site_privilege.site.login_base for site_privilege in site_privileges] + sites = Site.objects.filter(login_base__in=login_bases) + slices = Slice.objects.filter(site__in=sites) + qs = qs.filter(slice__in=slices) return qs def save_model(self, request, obj, form, change): @@ -324,6 +424,14 @@ class SliverAdmin(PlanetStackBaseAdmin): ] list_display = ['ip', 'instance_name', 'slice', 'numberCores', 'image', 'key', 'node', 'deploymentNetwork'] + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'slice': + if not request.user.is_admin: + slices = set([sm.slice.name for sm in SliceMembership.objects.filter(user=request.user)]) + kwargs['queryset'] = Slice.objects.filter(name__in=list(slices)) + + return super(SliverAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs) + def queryset(self, request): # admins can see all slivers. Users can only see slivers of # the slices they belong to. @@ -444,6 +552,18 @@ class UserAdmin(UserAdmin, OSModelAdmin): ordering = ('email',) filter_horizontal = () + def formfield_for_foreignkey(self, db_field, request, **kwargs): + if db_field.name == 'site': + if not request.user.is_admin: + # show sites where caller is an admin or pi + sites = [] + for site_privilege in SitePrivilege.objects.filer(user=request.user): + if site_privilege.role.role_type in ['admin', 'pi']: + sites.append(site_privilege.site.login_base) + kwargs['queryset'] = Site.objects.filter(login_base__in(list(sites))) + + return super(UserAdmin, self).formfield_for_foreignkey(db_field, request, **kwargs) + class ServiceResourceInline(admin.TabularInline): model = ServiceResource extra = 0 -- 2.43.0