first step to merge senslab upstream:
[sfa.git] / sfa / trust / auth.py
index 2f2afb0..54fd9d2 100644 (file)
@@ -225,9 +225,12 @@ class Auth:
         @param name human readable name to test  
         """
         object_hrn = self.object_gid.get_hrn()
-        if object_hrn == name:
-            return
-        if name.startswith(object_hrn + "."):
+       #strname = str(name).strip("['']")
+       if object_hrn == name:
+        #if object_hrn == strname:
+            return 
+        if name.startswith(object_hrn + ".") :
+        #if strname.startswith((object_hrn + ".")) is True:
             return
         #if name.startswith(get_authority(name)):
             #return
@@ -239,7 +242,7 @@ class Auth:
         Given a user credential and a record, determine what set of rights the
         user should have to that record.
         
-        This is intended to replace determine_rights() and
+        This is intended to replace determine_user_rights() and
         verify_cancreate_credential()
         """
 
@@ -248,10 +251,12 @@ class Auth:
 
         logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
 
-        if type=='slice':
+        if type == 'slice':
+            # researchers in the slice are in the DB as-is
             researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
-            # xxx need a means to compute pi_hrns from the registry db
-            pi_hrns = reg_record.get('PI',[])
+            # locating PIs attached to that slice
+            slice_pis=reg_record.get_pis()
+            pi_hrns = [ user.hrn for user in slice_pis ]
             if (caller_hrn in researcher_hrns + pi_hrns):
                 rl.add('refresh')
                 rl.add('embed')
@@ -261,8 +266,6 @@ class Auth:
 
         elif type == 'authority':
             pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
-            # xxx need a means to compute operator_hrns from the registry db
-            operator_hrns = reg_record.get('operator',[])
             if (caller_hrn == self.config.SFA_INTERFACE_HRN):
                 rl.add('authority')
                 rl.add('sa')
@@ -270,9 +273,13 @@ class Auth:
             if (caller_hrn in pi_hrns):
                 rl.add('authority')
                 rl.add('sa')
-            if (caller_hrn in operator_hrns):
-                rl.add('authority')
-                rl.add('ma')
+            # NOTE: for the PL implementation, this 'operators' list 
+            # amounted to users with 'tech' role in that site 
+            # it seems like this is not needed any longer, so for now I just drop that
+            # operator_hrns = reg_record.get('operator',[])
+            # if (caller_hrn in operator_hrns):
+            #    rl.add('authority')
+            #    rl.add('ma')
 
         elif type == 'user':
             rl.add('refresh')