only allow authority creds if oject_hrn in pi list

author Tony Mack <tmack@cs.princeton.edu>

Mon, 26 Oct 2009 14:16:42 +0000 (14:16 +0000)

committer Tony Mack <tmack@cs.princeton.edu>

Mon, 26 Oct 2009 14:16:42 +0000 (14:16 +0000)
author Tony Mack <tmack@cs.princeton.edu>
Mon, 26 Oct 2009 14:16:42 +0000 (14:16 +0000)
committer Tony Mack <tmack@cs.princeton.edu>
Mon, 26 Oct 2009 14:16:42 +0000 (14:16 +0000)
diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py

index f3609b3..57583e4 100644 (file)
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -240,11 +240,10 @@ class Auth:
          elif type == "authority":
              pis = record.get("pi", [])
              operators = record.get("operator", [])
-            rl.add("authority,sa,ma")
              if (cred_object_hrn in pis):
-                rl.add("sa")
+                rl.add("authority,sa")
              if (cred_object_hrn in operators):
-                rl.add("ma")
+                rl.add("authority,ma")
  
          elif type == "user":
              rl.add("refresh")
author	Tony Mack <tmack@cs.princeton.edu>
	Mon, 26 Oct 2009 14:16:42 +0000 (14:16 +0000)
committer	Tony Mack <tmack@cs.princeton.edu>
	Mon, 26 Oct 2009 14:16:42 +0000 (14:16 +0000)