openstack
/
adjutant
Code Issues Proposed changes

Merge "Users can only edit users with full permission"

This commit is contained in:
Zuul 2017-12-07 03:38:03 +00:00 committed by Gerrit Code Review
parent 40b4f46cc2 b0496e6ee5
commit 1da1930d97
3 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
adjutant/actions/v1/tests/test_user_actions.py
View File

@ -748,7 +748,7 @@ class UserActionTests(AdjutantTestCase):
data = {
'domain_id': 'default',
'user_id': 'user_id',
'user_id': user.id,
'project_id': project.id,
'roles': ['project_mod'],
'inherited_roles': [],

21
adjutant/actions/v1/users.py
View File

@ -286,11 +286,30 @@ class EditUserRolesAction(UserIdAction, ProjectMixin, UserMixin):
self.roles = list(missing)
self.inherited_roles = list(missing_inherited)
self.add_note(
'User user missing roles.')
'User missing roles.')
# All paths are valid here
# We've just set state and roles that need to be changed.
return True
def _validate_role_permissions(self):
id_manager = user_store.IdentityManager()
current_user_roles = id_manager.get_roles(project=self.project_id,
user=self.user_id)
current_user_roles = [role.name for role in current_user_roles]
current_roles_manageable = self.are_roles_managable(
self.action.task.keystone_user['roles'], current_user_roles)
all_roles = set()
all_roles.update(self.roles)
all_roles.update(self.inherited_roles)
new_roles_manageable = self.are_roles_managable(
self.action.task.keystone_user['roles'], all_roles)
return new_roles_manageable and current_roles_manageable
def _validate(self):
self.action.valid = (
self._validate_keystone_user() and

3
adjutant/common/tests/fake_clients.py
View File

@ -337,7 +337,8 @@ class FakeManager(object):
role = self._role_from_id(role)
project = self._project_from_id(project)
role_assignment = self._make_role_assignment(user, role, project)
role_assignment = self._make_role_assignment(user, role, project,
inherited=inherited)
global identity_cache