Fix policy check short circuit

The check() method was broken during a refactor and now only
checks the first result in the list and then returns that result.

This patch restores the AND functionality of check and only short
circuits on a failed result.

Closes-Bug: #1643082
Change-Id: I7d976299de2a35b81ced29d2c3f265da62f20eff
This commit is contained in:
David Lyle 2016-11-18 15:45:22 -07:00
parent d27cb3039c
commit b8567d6060
1 changed files with 10 additions and 5 deletions

View File

@ -75,7 +75,8 @@ def check(actions, request, target=None):
to policy setting.
:param actions: list of scope and action to do policy checks on,
the composition of which is (scope, action)
the composition of which is (scope, action). Multiple actions
are treated as a logical AND.
* scope: service type managing the policy for action
@ -153,12 +154,16 @@ def check(actions, request, target=None):
# needed when a domain scoped token is present
if scope == 'identity' and domain_credentials:
# use domain credentials
return _check_credentials(
enforcer[scope], action, target, domain_credentials)
if not _check_credentials(enforcer[scope],
action,
target,
domain_credentials):
return False
# use project credentials
return _check_credentials(
enforcer[scope], action, target, credentials)
if not _check_credentials(enforcer[scope],
action, target, credentials):
return False
# if no policy for scope, allow action, underlying API will
# ultimately block the action if not permitted, treat as though