Fix policy check short circuit
The check() method was broken during a refactor and now only checks the first result in the list and then returns that result. This patch restores the AND functionality of check and only short circuits on a failed result. Closes-Bug: #1643082 Change-Id: I7d976299de2a35b81ced29d2c3f265da62f20eff
This commit is contained in:
parent
d27cb3039c
commit
b8567d6060
|
@ -75,7 +75,8 @@ def check(actions, request, target=None):
|
|||
to policy setting.
|
||||
|
||||
:param actions: list of scope and action to do policy checks on,
|
||||
the composition of which is (scope, action)
|
||||
the composition of which is (scope, action). Multiple actions
|
||||
are treated as a logical AND.
|
||||
|
||||
* scope: service type managing the policy for action
|
||||
|
||||
|
@ -153,12 +154,16 @@ def check(actions, request, target=None):
|
|||
# needed when a domain scoped token is present
|
||||
if scope == 'identity' and domain_credentials:
|
||||
# use domain credentials
|
||||
return _check_credentials(
|
||||
enforcer[scope], action, target, domain_credentials)
|
||||
if not _check_credentials(enforcer[scope],
|
||||
action,
|
||||
target,
|
||||
domain_credentials):
|
||||
return False
|
||||
|
||||
# use project credentials
|
||||
return _check_credentials(
|
||||
enforcer[scope], action, target, credentials)
|
||||
if not _check_credentials(enforcer[scope],
|
||||
action, target, credentials):
|
||||
return False
|
||||
|
||||
# if no policy for scope, allow action, underlying API will
|
||||
# ultimately block the action if not permitted, treat as though
|
||||
|
|
Loading…
Reference in New Issue