Commit e63bb8ce by Bach Dániel

dashboard: add template, disk acl checks

parent 026868b7
...@@ -38,7 +38,7 @@ ...@@ -38,7 +38,7 @@
"ready": true, "ready": true,
"datastore": 1, "datastore": 1,
"dev_num": "a", "dev_num": "a",
"type": "raw-rw", "type": "qcow2-norm",
"size": 8589934592 "size": 8589934592
} }
}, },
......
...@@ -2,7 +2,8 @@ from django.test import TestCase ...@@ -2,7 +2,8 @@ from django.test import TestCase
from django.test.client import Client from django.test.client import Client
from django.contrib.auth.models import User, Group from django.contrib.auth.models import User, Group
from vm.models import Instance from vm.models import Instance, InstanceTemplate
from storage.models import Disk
from firewall.models import Vlan from firewall.models import Vlan
...@@ -144,3 +145,42 @@ class VmDetailTest(TestCase): ...@@ -144,3 +145,42 @@ class VmDetailTest(TestCase):
'cpu_priority': 1, 'cpu_count': 1, 'cpu_priority': 1, 'cpu_count': 1,
'ram_size': 1000}) 'ram_size': 1000})
self.assertEqual(response.status_code, 403) self.assertEqual(response.status_code, 403)
def test_use_unpermitted_template(self):
c = Client()
self.login(c, 'user1')
Disk.objects.get(id=1).set_level(self.u1, 'user')
Vlan.objects.get(id=1).set_level(self.u1, 'user')
response = c.post('/dashboard/vm/create/',
{'template': 1,
'cpu_priority': 1, 'cpu_count': 1,
'ram_size': 1000})
self.assertEqual(response.status_code, 403)
def test_use_permitted_template(self):
c = Client()
self.login(c, 'user1')
Disk.objects.get(id=1).set_level(self.u1, 'user')
InstanceTemplate.objects.get(id=1).set_level(self.u1, 'user')
Vlan.objects.get(id=1).set_level(self.u1, 'user')
response = c.post('/dashboard/vm/create/',
{'template': 1,
'cpu_priority': 1, 'cpu_count': 1,
'ram_size': 1000})
self.assertEqual(response.status_code, 302)
def test_use_permitted_template_superuser(self):
c = Client()
self.login(c, 'superuser')
response = c.post('/dashboard/vm/create/',
{'template': 1,
'cpu_priority': 1, 'cpu_count': 1,
'ram_size': 1000})
self.assertEqual(response.status_code, 302)
def test_edit_unpermitted_template(self):
c = Client()
self.login(c, 'user1')
InstanceTemplate.objects.get(id=1).set_level(self.u1, 'user')
response = c.post('/dashboard/template/1/', {})
self.assertEqual(response.status_code, 403)
...@@ -435,6 +435,11 @@ class TemplateCreate(SuccessMessageMixin, CreateView): ...@@ -435,6 +435,11 @@ class TemplateCreate(SuccessMessageMixin, CreateView):
success_message = _("Successfully created a new template!") success_message = _("Successfully created a new template!")
def get(self, *args, **kwargs): def get(self, *args, **kwargs):
if not self.request.user.has_perm('vm.create_template'):
raise PermissionDenied()
form = self.form_class()
form.fields['disks'].queryset = Disk.get_objects_with_level(
'user', self.request.user).exclude(type="qcow2-snap")
self.parent = self.request.GET.get("parent") self.parent = self.request.GET.get("parent")
return super(TemplateCreate, self).get(*args, **kwargs) return super(TemplateCreate, self).get(*args, **kwargs)
...@@ -443,6 +448,18 @@ class TemplateCreate(SuccessMessageMixin, CreateView): ...@@ -443,6 +448,18 @@ class TemplateCreate(SuccessMessageMixin, CreateView):
kwargs['parent'] = getattr(self, "parent", None) kwargs['parent'] = getattr(self, "parent", None)
return kwargs return kwargs
def post(self, request, *args, **kwargs):
if not self.request.user.has_perm('vm.create_template'):
raise PermissionDenied()
form = self.form_class(request.POST)
if not form.is_valid():
return self.get(request, form, *args, **kwargs)
post = form.cleaned_data
for disk in post['disks']:
if not disk.has_level(request.user, 'user'):
raise PermissionDenied()
return super(TemplateCreate, self).post(self, request, args, kwargs)
def get_success_url(self): def get_success_url(self):
return reverse_lazy("dashboard.views.template-list") return reverse_lazy("dashboard.views.template-list")
...@@ -454,8 +471,10 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView): ...@@ -454,8 +471,10 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
success_message = _("Successfully modified template!") success_message = _("Successfully modified template!")
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
template = InstanceTemplate.objects.get(pk=kwargs['pk'])
if not template.has_level(request.user, 'owner'):
raise PermissionDenied()
if request.is_ajax(): if request.is_ajax():
template = InstanceTemplate.objects.get(pk=kwargs['pk'])
template = { template = {
'num_cores': template.num_cores, 'num_cores': template.num_cores,
'ram_size': template.ram_size, 'ram_size': template.ram_size,
...@@ -482,6 +501,15 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView): ...@@ -482,6 +501,15 @@ class TemplateDetail(LoginRequiredMixin, SuccessMessageMixin, UpdateView):
return reverse_lazy("dashboard.views.template-detail", return reverse_lazy("dashboard.views.template-detail",
kwargs=self.kwargs) kwargs=self.kwargs)
def post(self, request, *args, **kwargs):
template = self.get_object()
if not template.has_level(request.user, 'owner'):
raise PermissionDenied()
for disk in self.get_object().disks.all():
if not disk.has_level(request.user, 'user'):
raise PermissionDenied()
return super(TemplateDetail, self).post(self, request, args, kwargs)
class TemplateList(LoginRequiredMixin, SingleTableView): class TemplateList(LoginRequiredMixin, SingleTableView):
template_name = "dashboard/template-list.html" template_name = "dashboard/template-list.html"
...@@ -494,6 +522,12 @@ class TemplateList(LoginRequiredMixin, SingleTableView): ...@@ -494,6 +522,12 @@ class TemplateList(LoginRequiredMixin, SingleTableView):
context['lease_table'] = LeaseListTable(Lease.objects.all()) context['lease_table'] = LeaseListTable(Lease.objects.all())
return context return context
def get_queryset(self):
logger.debug('TemplateList.get_queryset() called. User: %s',
unicode(self.request.user))
return InstanceTemplate.get_objects_with_level(
'user', self.request.user).all()
class VmList(LoginRequiredMixin, SingleTableView): class VmList(LoginRequiredMixin, SingleTableView):
template_name = "dashboard/vm-list.html" template_name = "dashboard/vm-list.html"
...@@ -545,9 +579,13 @@ class VmCreate(LoginRequiredMixin, TemplateView): ...@@ -545,9 +579,13 @@ class VmCreate(LoginRequiredMixin, TemplateView):
def get(self, request, form=None, *args, **kwargs): def get(self, request, form=None, *args, **kwargs):
if form is None: if form is None:
form = self.form_class() form = self.form_class()
form.fields['disks'].queryset = Disk.objects.exclude(type="qcow2-snap") form.fields['disks'].queryset = Disk.get_objects_with_level(
'user', request.user).exclude(type="qcow2-snap")
form.fields['networks'].queryset = Vlan.get_objects_with_level( form.fields['networks'].queryset = Vlan.get_objects_with_level(
'user', request.user) 'user', request.user)
templates = InstanceTemplate.get_objects_with_level('user',
request.user)
form.fields['template'].queryset = templates
context = self.get_context_data(**kwargs) context = self.get_context_data(**kwargs)
context.update({ context.update({
'template': 'dashboard/vm-create.html', 'template': 'dashboard/vm-create.html',
...@@ -556,14 +594,6 @@ class VmCreate(LoginRequiredMixin, TemplateView): ...@@ -556,14 +594,6 @@ class VmCreate(LoginRequiredMixin, TemplateView):
}) })
return self.render_to_response(context) return self.render_to_response(context)
def get_context_data(self, **kwargs):
context = super(VmCreate, self).get_context_data(**kwargs)
# TODO acl
context.update({
})
return context
# TODO handle not ajax posts # TODO handle not ajax posts
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
form = self.form_class(request.POST) form = self.form_class(request.POST)
...@@ -573,6 +603,8 @@ class VmCreate(LoginRequiredMixin, TemplateView): ...@@ -573,6 +603,8 @@ class VmCreate(LoginRequiredMixin, TemplateView):
user = request.user user = request.user
template = post['template'] template = post['template']
if not template.has_level(request.user, 'user'):
raise PermissionDenied()
if request.user.has_perm('vm.set_resources'): if request.user.has_perm('vm.set_resources'):
ikwargs = { ikwargs = {
'num_cores': post['cpu_count'], 'num_cores': post['cpu_count'],
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment