Skip to content

Gelencsér Szabolcs / circlestack

Go to a project
Commit 9c872372 by Bach Dániel
Options

circle: add missing permission checks

parent 036383f1
Showing with 32 additions and 10 deletions
circle/dashboard/templates/dashboard/vm-detail.html
......@@ -135,7 +135,7 @@
<i class="icon-tasks icon-2x"></i><br>
{% trans "Resources" %}</a>
</li>
<li{% if not instance.is_console_available %} class="disabled"{% endif %}>
<li{% if not instance.is_console_available or not perms.vm.access_console %} class="disabled"{% endif %}>
<a href="#console" data-toggle="pill" data-target="#_console" class="text-center">
<i class="icon-desktop icon-2x"></i><br>
{% trans "Console" %}</a></li>
......
circle/dashboard/views.py
......@@ -243,6 +243,8 @@ class VmDetailVncTokenView(CheckedDetailView):
self.object = self.get_object()
if not self.object.has_level(request.user, 'operator'):
raise PermissionDenied()
if not request.user.has_perm('vm.access_console'):
raise PermissionDenied()
if self.object.node:
with instance_activity(code_suffix='console-accessed',
instance=self.object, user=request.user,
......@@ -637,7 +639,7 @@ class VmDownloadDiskView(FormOperationMixin, VmOperationView):
is_disk_operation = True
class VmMigrateView(VmOperationView):
class VmMigrateView(SuperuserRequiredMixin, VmOperationView):
op = 'migrate'
icon = 'truck'
......@@ -984,7 +986,7 @@ class GroupAclUpdateView(AclUpdateView):
kwargs=self.kwargs))
class TemplateChoose(TemplateView):
class TemplateChoose(LoginRequiredMixin, TemplateView):
def get_template_names(self):
if self.request.is_ajax():
......@@ -1017,6 +1019,9 @@ class TemplateChoose(TemplateView):
else:
template = get_object_or_404(InstanceTemplate, pk=template)
if not template.has_level(user, "user"):
raise PermissionDenied()
instance = Instance.create_from_template(
template=template, owner=request.user, is_base=True)
......@@ -1055,7 +1060,7 @@ class TemplateCreate(SuccessMessageMixin, CreateView):
return kwargs
def post(self, request, *args, **kwargs):
if not self.request.user.has_perm('vm.create_template'):
if not self.request.user.has_perm('vm.create_base_template'):
raise PermissionDenied()
form = self.form_class(request.POST, user=request.user)
......@@ -1492,6 +1497,9 @@ class VmCreate(LoginRequiredMixin, TemplateView):
return ['dashboard/nojs-wrapper.html']
def get(self, request, form=None, *args, **kwargs):
if not request.user.has_perm('vm.create_vm'):
raise PermissionDenied()
form_error = form is not None
template = (form.template.pk if form_error
else request.GET.get("template"))
......@@ -1597,6 +1605,9 @@ class VmCreate(LoginRequiredMixin, TemplateView):
def post(self, request, *args, **kwargs):
user = request.user
if not request.user.has_perm('vm.create_vm'):
raise PermissionDenied()
# limit chekcs
try:
limit = user.profile.instance_limit
......
circle/storage/models.py
......@@ -106,6 +106,9 @@ class Disk(AclBase, TimeStampedModel):
ordering = ['name']
verbose_name = _('disk')
verbose_name_plural = _('disks')
permissions = (
('create_empty_disk', _('Can create an empty disk.')),
('download_disk', _('Can download a disk.')))
class WrongDiskTypeError(Exception):
......
circle/vm/models/instance.py
......@@ -151,6 +151,9 @@ class InstanceTemplate(AclBase, VirtualMachineDescModel, TimeStampedModel):
ordering = ('name', )
permissions = (
('create_template', _('Can create an instance template.')),
('create_base_template',
_('Can create an instance template (base).')),
('change_resources', _('Can change resources of a template.')),
)
verbose_name = _('template')
verbose_name_plural = _('templates')
......@@ -263,6 +266,7 @@ class Instance(AclBase, VirtualMachineDescModel, StatusModel, OperatedMixin,
('access_console', _('Can access the graphical console of a VM.')),
('change_resources', _('Can change resources of a running VM.')),
('set_resources', _('Can change resources of a new VM.')),
('create_vm', _('Can create a new VM.')),
('config_ports', _('Can configure port forwards.')),
)
verbose_name = _('instance')
......
circle/vm/operations.py
......@@ -105,6 +105,7 @@ class CreateDiskOperation(InstanceOperation):
id = 'create_disk'
name = _("create disk")
description = _("Create empty disk for the VM.")
required_perms = ('storage.create_empty_disk', )
def check_precond(self):
super(CreateDiskOperation, self).check_precond()
......@@ -131,6 +132,7 @@ class DownloadDiskOperation(InstanceOperation):
description = _("Download disk for the VM.")
abortable = True
has_percentage = True
required_perms = ('storage.download_disk', )
def check_precond(self):
super(DownloadDiskOperation, self).check_precond()
......@@ -236,6 +238,12 @@ class MigrateOperation(InstanceOperation):
with activity.sub_activity('rollback_net'):
self.instance.deploy_net()
def check_auth(self, user):
if not user.is_superuser:
raise PermissionDenied()
super(MigrateOperation, self).check_auth(user=user)
def _operation(self, activity, to_node=None, timeout=120):
if not to_node:
with activity.sub_activity('scheduling') as sa:
......@@ -337,6 +345,7 @@ class SaveAsTemplateOperation(InstanceOperation):
Users can instantiate Virtual Machines from Templates.
""")
abortable = True
required_perms = ('vm.create_template', )
@staticmethod
def _rename(name):
......@@ -610,18 +619,13 @@ class ResourcesOperation(InstanceOperation):
description = _("Change resources")
acl_level = "owner"
concurrency_check = False
required_perms = ('vm.change_resources', )
def check_precond(self):
super(ResourcesOperation, self).check_precond()
if self.instance.status not in ["STOPPED", "PENDING"]:
raise self.instance.WrongStateError(self.instance)
def check_auth(self, user):
if not user.has_perm('vm.change_resources'):
raise PermissionDenied()
super(InstanceOperation, self).check_auth(user=user)
def _operation(self, user, num_cores, ram_size, max_ram_size, priority):
self.instance.num_cores = num_cores
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment