diff --git a/etc/neutron-fwaas-policy.json b/etc/neutron-fwaas-policy.json index 1b5f2ad..3458dad 100644 --- a/etc/neutron-fwaas-policy.json +++ b/etc/neutron-fwaas-policy.json @@ -27,5 +27,8 @@ "create_firewall_rule": "", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner" + "delete_firewall_rule": "rule:admin_or_owner", + "create_firewall_rule:shared": "rule:admin_only", + "update_firewall_rule:shared": "rule:admin_only", + "delete_firewall_rule:shared": "rule:admin_only" } diff --git a/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py b/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py index b0ba999..1d8a709 100644 --- a/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py +++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py @@ -23,6 +23,7 @@ from horizon import messages from horizon.utils import validators from openstack_dashboard import api +from openstack_dashboard import policy from neutron_fwaas_dashboard.api import fwaas as api_fwaas @@ -78,6 +79,20 @@ class UpdateRule(forms.SelfHandlingForm): failure_url = 'horizon:project:firewalls:index' + def __init__(self, request, *args, **kwargs): + super(UpdateRule, self).__init__(request, *args, **kwargs) + # Only admin user can update the 'shared' attribute + self.ignore_shared = False + if not policy.check((("neutron-fwaas", + "update_firewall_rule:shared"),), + request): + self.fields['shared'].widget = forms.CheckboxInput( + attrs={'readonly': 'readonly', 'disabled': 'disabled'}) + self.fields['shared'].help_text = _( + 'Non admin users are not allowed to set the shared property ' + 'of the rule.') + self.ignore_shared = True + def handle(self, request, context): rule_id = self.initial['rule_id'] name_or_id = context.get('name') or rule_id @@ -87,6 +102,12 @@ class UpdateRule(forms.SelfHandlingForm): 'source_port', 'destination_port']: if not context[f]: context[f] = None + + # Remove 'shared' from the context if the user is not allowed to + # change this field + if self.ignore_shared and 'shared' in context: + del context['shared'] + try: rule = api_fwaas.rule_update(request, rule_id, **context) msg = _('Rule %s was successfully updated.') % name_or_id diff --git a/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py b/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py index 082631e..72b72fa 100644 --- a/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py +++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py @@ -20,6 +20,8 @@ from horizon import forms from horizon.utils import validators from horizon import workflows +from openstack_dashboard import policy + from neutron_fwaas_dashboard.api import fwaas as api_fwaas port_validator = validators.validate_port_or_colon_separated_port_range @@ -89,6 +91,17 @@ class AddRuleAction(workflows.Action): def __init__(self, request, *args, **kwargs): super(AddRuleAction, self).__init__(request, *args, **kwargs) + # Only admin user can update the 'shared' attribute + self.ignore_shared = False + if not policy.check((("neutron-fwaas", + "create_firewall_rule:shared"),), + request): + self.fields['shared'].widget = forms.CheckboxInput( + attrs={'readonly': 'readonly', 'disabled': 'disabled'}) + self.fields['shared'].help_text = _( + 'Non admin users are not allowed to set the shared property ' + 'of the rule.') + self.ignore_shared = True def _check_ip_addr_and_ip_version(self, cleaned_data): ip_version = int(str(cleaned_data.get('ip_version')))