git://git.onelab.eu / sfa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
first step to merge senslab upstream:
[sfa.git] / sfa / trust / auth.py
diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index 31ba051..54fd9d2 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -225,9 +225,12 @@ class Auth:
         @param name human readable name to test  
         """
         object_hrn = self.object_gid.get_hrn()
-        if object_hrn == name:
-            return
-        if name.startswith(object_hrn + "."):
+       #strname = str(name).strip("['']")
+       if object_hrn == name:
+        #if object_hrn == strname:
+            return 
+        if name.startswith(object_hrn + ".") :
+        #if strname.startswith((object_hrn + ".")) is True:
             return
         #if name.startswith(get_authority(name)):
             #return
@@ -239,18 +242,22 @@ class Auth:
         Given a user credential and a record, determine what set of rights the
         user should have to that record.
         
-        This is intended to replace determine_rights() and
+        This is intended to replace determine_user_rights() and
         verify_cancreate_credential()
         """
 
         rl = Rights()
         type = reg_record.type
 
+        logger.debug("entering determine_user_rights with record %s and caller_hrn %s"%(reg_record, caller_hrn))
 
-        if type=='slice':
-            researchers = reg_record.get('researcher',[])
-            pis = reg_record.get('PI',[])
-            if (caller_hrn in researchers + pis):
+        if type == 'slice':
+            # researchers in the slice are in the DB as-is
+            researcher_hrns = [ user.hrn for user in reg_record.reg_researchers ]
+            # locating PIs attached to that slice
+            slice_pis=reg_record.get_pis()
+            pi_hrns = [ user.hrn for user in slice_pis ]
+            if (caller_hrn in researcher_hrns + pi_hrns):
                 rl.add('refresh')
                 rl.add('embed')
                 rl.add('bind')
@@ -258,18 +265,21 @@ class Auth:
                 rl.add('info')
 
         elif type == 'authority':
-            pis = reg_record.get('PI',[])
-            operators = reg_record.get('operator',[])
+            pi_hrns = [ user.hrn for user in reg_record.reg_pis ]
             if (caller_hrn == self.config.SFA_INTERFACE_HRN):
                 rl.add('authority')
                 rl.add('sa')
                 rl.add('ma')
-            if (caller_hrn in pis):
+            if (caller_hrn in pi_hrns):
                 rl.add('authority')
                 rl.add('sa')
-            if (caller_hrn in operators):
-                rl.add('authority')
-                rl.add('ma')
+            # NOTE: for the PL implementation, this 'operators' list 
+            # amounted to users with 'tech' role in that site 
+            # it seems like this is not needed any longer, so for now I just drop that
+            # operator_hrns = reg_record.get('operator',[])
+            # if (caller_hrn in operator_hrns):
+            #    rl.add('authority')
+            #    rl.add('ma')
 
         elif type == 'user':
             rl.add('refresh')
sfa