dashboard: add template, disk acl checks

e63bb8ce · Bach Dániel · 026868b7 · e63bb8ce · e63bb8ce · e63bb8ce
Commit e63bb8ce authored Jan 28, 2014 by Bach Dániel
Hide whitespace changes
Inline Side-by-side

Showing with 84 additions and 12 deletions

circle/dashboard/fixtures/test-vm-fixture.json
+1 -1

circle/dashboard/tests/test_views.py
+41 -1

circle/dashboard/views.py
+42 -10

No files found.
--- a/circle/dashboard/fixtures/test-vm-fixture.json
+++ b/circle/dashboard/fixtures/test-vm-fixture.json
@@ -38,7 +38,7 @@
    "ready": true, 
    "datastore": 1, 
    "dev_num": "a", 
-    "type": "raw-rw", 
+    "type": "qcow2-norm", 
    "size": 8589934592
  }
 },

--- a/circle/dashboard/tests/test_views.py
+++ b/circle/dashboard/tests/test_views.py
@@ -2,7 +2,8 @@ from django.test import TestCase
 from django.test.client import Client
 from django.contrib.auth.models import User, Group

-from vm.models import Instance
+from vm.models import Instance, InstanceTemplate
+from storage.models import Disk
 from firewall.models import Vlan


@@ -144,3 +145,42 @@ class VmDetailTest(TestCase):
                           'cpu_priority': 1, 'cpu_count': 1,
                           'ram_size': 1000})
        self.assertEqual(response.status_code, 403)
+
+    def test_use_unpermitted_template(self):
+        c = Client()
+        self.login(c, 'user1')
+        Disk.objects.get(id=1).set_level(self.u1, 'user')
+        Vlan.objects.get(id=1).set_level(self.u1, 'user')
+        response = c.post('/dashboard/vm/create/',
+                          {'template': 1,
+                           'cpu_priority': 1, 'cpu_count': 1,
+                           'ram_size': 1000})
+        self.assertEqual(response.status_code, 403)
+
+    def test_use_permitted_template(self):
+        c = Client()
+        self.login(c, 'user1')
+        Disk.objects.get(id=1).set_level(self.u1, 'user')
+        InstanceTemplate.objects.get(id=1).set_level(self.u1, 'user')
+        Vlan.objects.get(id=1).set_level(self.u1, 'user')
+        response = c.post('/dashboard/vm/create/',
+                          {'template': 1,
+                           'cpu_priority': 1, 'cpu_count': 1,
+                           'ram_size': 1000})
+        self.assertEqual(response.status_code, 302)
+
+    def test_use_permitted_template_superuser(self):
+        c = Client()
+        self.login(c, 'superuser')
+        response = c.post('/dashboard/vm/create/',
+                          {'template': 1,
+                           'cpu_priority': 1, 'cpu_count': 1,
+                           'ram_size': 1000})
+        self.assertEqual(response.status_code, 302)
+
+    def test_edit_unpermitted_template(self):
+        c = Client()
+        self.login(c, 'user1')
+        InstanceTemplate.objects.get(id=1).set_level(self.u1, 'user')
+        response = c.post('/dashboard/template/1/', {})
+        self.assertEqual(response.status_code, 403)
--- a/circle/dashboard/views.py
+++ b/circle/dashboard/views.py
@@ -435,6 +435,11 @@ class TemplateCreate(SuccessMessageMixin, CreateView):
    success_message = _("Successfully created a new template!")

    def get(self, *args, **kwargs):
+        if not self.request.user.has_perm('vm.create_template'):
+            raise PermissionDenied()
+        form = self.form_class()
+        form.fields['disks'].queryset = Disk.get_objects_with_level(
+            'user', self.request.user).exclude(type="qcow2-snap")
        self.parent = self.request.GET.get("parent")
        return super(TemplateCreate, self).get(*args, **kwargs)

@@ -443,6 +448,18 @@ class TemplateCreate(SuccessMessageMixin, CreateView):
        kwargs['parent'] = getattr(self, "parent", None)
        return kwargs

+    def post(self, request, *args, **kwargs):
+        if not self.request.user.has_perm('vm.create_template'):
+            raise PermissionDenied()
+        form = self.form_class(request.POST)
+        if not form.is_valid():
+            return self.get(request, form, *args, **kwargs)
+        post = form.cleaned_data
+        for disk in post['disks']:
+            if not disk.has_level(request.user, 'user'):
+                raise PermissionDenied()
+        return super(TemplateCreate, self).post(self, request, args, kwargs)
+
    def get_success_url(self):
        return reverse_lazy("dashboard.views.template-list")

@@ -454,8 +471,10 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
    success_message = _("Successfully modified template!")

    def get(self, request, *args, **kwargs):
+        template = InstanceTemplate.objects.get(pk=kwargs['pk'])
+        if not template.has_level(request.user, 'owner'):
+            raise PermissionDenied()
        if request.is_ajax():
-            template = InstanceTemplate.objects.get(pk=kwargs['pk'])
            template = {
                'num_cores': template.num_cores,
                'ram_size': template.ram_size,
@@ -482,6 +501,15 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
        return reverse_lazy("dashboard.views.template-detail",
                            kwargs=self.kwargs)

+    def post(self, request, *args, **kwargs):
+        template = self.get_object()
+        if not template.has_level(request.user, 'owner'):
+            raise PermissionDenied()
+        for disk in self.get_object().disks.all():
+            if not disk.has_level(request.user, 'user'):
+                raise PermissionDenied()
+        return super(TemplateDetail, self).post(self, request, args, kwargs)
+

 class TemplateList(LoginRequiredMixin, SingleTableView):
    template_name = "dashboard/template-list.html"
@@ -494,6 +522,12 @@ class TemplateList(LoginRequiredMixin, SingleTableView):
        context['lease_table'] = LeaseListTable(Lease.objects.all())
        return context

+    def get_queryset(self):
+        logger.debug('TemplateList.get_queryset() called. User: %s',
+                     unicode(self.request.user))
+        return InstanceTemplate.get_objects_with_level(
+            'user', self.request.user).all()
+

 class VmList(LoginRequiredMixin, SingleTableView):
    template_name = "dashboard/vm-list.html"
@@ -545,9 +579,13 @@ class VmCreate(LoginRequiredMixin, TemplateView):
    def get(self, request, form=None, *args, **kwargs):
        if form is None:
            form = self.form_class()
-        form.fields['disks'].queryset = Disk.objects.exclude(type="qcow2-snap")
+        form.fields['disks'].queryset = Disk.get_objects_with_level(
+            'user', request.user).exclude(type="qcow2-snap")
        form.fields['networks'].queryset = Vlan.get_objects_with_level(
            'user', request.user)
+        templates = InstanceTemplate.get_objects_with_level('user',
+                                                            request.user)
+        form.fields['template'].queryset = templates
        context = self.get_context_data(**kwargs)
        context.update({
            'template': 'dashboard/vm-create.html',
@@ -556,14 +594,6 @@ class VmCreate(LoginRequiredMixin, TemplateView):
        })
        return self.render_to_response(context)

-    def get_context_data(self, **kwargs):
-        context = super(VmCreate, self).get_context_data(**kwargs)
-        # TODO acl
-        context.update({
-        })
-
-        return context
-
    # TODO handle not ajax posts
    def post(self, request, *args, **kwargs):
        form = self.form_class(request.POST)
@@ -573,6 +603,8 @@ class VmCreate(LoginRequiredMixin, TemplateView):
        user = request.user

        template = post['template']
+        if not template.has_level(request.user, 'user'):
+            raise PermissionDenied()
        if request.user.has_perm('vm.set_resources'):
            ikwargs = {
                'num_cores': post['cpu_count'],