From a767cef2ad7973696b1723e17f518cc6435aaacc Mon Sep 17 00:00:00 2001 From: Adit Sarfaty Date: Thu, 6 Jul 2017 15:09:07 +0300 Subject: [PATCH] Fix FWaaS create/update rule with non-admin Creating and updating a shared rule is forbidden for non admin user. This patch makes sure the 'shared' attribute is disabled, and not added to the request body of the update request, so the request will not fail in neutron. Change-Id: I439947198bd9b0a647640f3f663ba7029b2507b4 Closes-Bug: #1699717 --- etc/neutron-fwaas-policy.json | 5 ++++- .../dashboards/project/firewalls/forms.py | 21 +++++++++++++++++++ .../dashboards/project/firewalls/workflows.py | 13 ++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) diff --git a/etc/neutron-fwaas-policy.json b/etc/neutron-fwaas-policy.json index 1b5f2ad..3458dad 100644 --- a/etc/neutron-fwaas-policy.json +++ b/etc/neutron-fwaas-policy.json @@ -27,5 +27,8 @@ "create_firewall_rule": "", "get_firewall_rule": "rule:admin_or_owner or rule:shared_firewalls", "update_firewall_rule": "rule:admin_or_owner", - "delete_firewall_rule": "rule:admin_or_owner" + "delete_firewall_rule": "rule:admin_or_owner", + "create_firewall_rule:shared": "rule:admin_only", + "update_firewall_rule:shared": "rule:admin_only", + "delete_firewall_rule:shared": "rule:admin_only" } diff --git a/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py b/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py index b0ba999..1d8a709 100644 --- a/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py +++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/forms.py @@ -23,6 +23,7 @@ from horizon import messages from horizon.utils import validators from openstack_dashboard import api +from openstack_dashboard import policy from neutron_fwaas_dashboard.api import fwaas as api_fwaas @@ -78,6 +79,20 @@ class UpdateRule(forms.SelfHandlingForm): failure_url = 'horizon:project:firewalls:index' + def __init__(self, request, *args, **kwargs): + super(UpdateRule, self).__init__(request, *args, **kwargs) + # Only admin user can update the 'shared' attribute + self.ignore_shared = False + if not policy.check((("neutron-fwaas", + "update_firewall_rule:shared"),), + request): + self.fields['shared'].widget = forms.CheckboxInput( + attrs={'readonly': 'readonly', 'disabled': 'disabled'}) + self.fields['shared'].help_text = _( + 'Non admin users are not allowed to set the shared property ' + 'of the rule.') + self.ignore_shared = True + def handle(self, request, context): rule_id = self.initial['rule_id'] name_or_id = context.get('name') or rule_id @@ -87,6 +102,12 @@ class UpdateRule(forms.SelfHandlingForm): 'source_port', 'destination_port']: if not context[f]: context[f] = None + + # Remove 'shared' from the context if the user is not allowed to + # change this field + if self.ignore_shared and 'shared' in context: + del context['shared'] + try: rule = api_fwaas.rule_update(request, rule_id, **context) msg = _('Rule %s was successfully updated.') % name_or_id diff --git a/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py b/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py index 082631e..72b72fa 100644 --- a/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py +++ b/neutron_fwaas_dashboard/dashboards/project/firewalls/workflows.py @@ -20,6 +20,8 @@ from horizon import forms from horizon.utils import validators from horizon import workflows +from openstack_dashboard import policy + from neutron_fwaas_dashboard.api import fwaas as api_fwaas port_validator = validators.validate_port_or_colon_separated_port_range @@ -89,6 +91,17 @@ class AddRuleAction(workflows.Action): def __init__(self, request, *args, **kwargs): super(AddRuleAction, self).__init__(request, *args, **kwargs) + # Only admin user can update the 'shared' attribute + self.ignore_shared = False + if not policy.check((("neutron-fwaas", + "create_firewall_rule:shared"),), + request): + self.fields['shared'].widget = forms.CheckboxInput( + attrs={'readonly': 'readonly', 'disabled': 'disabled'}) + self.fields['shared'].help_text = _( + 'Non admin users are not allowed to set the shared property ' + 'of the rule.') + self.ignore_shared = True def _check_ip_addr_and_ip_version(self, cleaned_data): ip_version = int(str(cleaned_data.get('ip_version')))