From: Tony Mack <tmack@cs.princeton.edu>
Date: Mon, 26 Oct 2009 14:16:42 +0000 (+0000)
Subject: only allow authority creds if oject_hrn in pi list
X-Git-Tag: sfa-0.9-6~128
X-Git-Url: http://git.onelab.eu/?p=sfa.git;a=commitdiff_plain;h=ec74e6b27d2095b9ff8d5dd7b499fb58dadd127c

only allow authority creds if oject_hrn in pi list
---

diff --git a/sfa/trust/auth.py b/sfa/trust/auth.py
index f3609b3f..57583e46 100644
--- a/sfa/trust/auth.py
+++ b/sfa/trust/auth.py
@@ -240,11 +240,10 @@ class Auth:
         elif type == "authority":
             pis = record.get("pi", [])
             operators = record.get("operator", [])
-            rl.add("authority,sa,ma")
             if (cred_object_hrn in pis):
-                rl.add("sa")
+                rl.add("authority,sa")
             if (cred_object_hrn in operators):
-                rl.add("ma")
+                rl.add("authority,ma")
 
         elif type == "user":
             rl.add("refresh")