Disallow non-admin users update net's shared attribute

Currently non-admin user cannot create a network with shared=True. But the user can create the network and then change the shared attribute to True. This patch will no longer allow non-admin user to update a network's shared value to True. Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4 Closes-Bug: 1268823
2014-01-20 15:48:28 +00:00 · 2014-01-20 15:48:28 +00:00 · e4836bd08c
parent 49efd608d3
commit e4836bd08c
2 changed files with 12 additions and 0 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -35,6 +35,7 @@
    "create_network:provider:segmentation_id": "rule:admin_only",
    "update_network": "rule:admin_or_owner",
    "update_network:segments": "rule:admin_only",
+    "update_network:shared": "rule:admin_only",
    "update_network:provider:network_type": "rule:admin_only",
    "update_network:provider:physical_network": "rule:admin_only",
    "update_network:provider:segmentation_id": "rule:admin_only",
--- a/neutron/tests/unit/test_db_plugin.py
+++ b/neutron/tests/unit/test_db_plugin.py
@ -1818,6 +1818,17 @@ class TestNetworksV2(NeutronDbPluginV2TestCase):
            res = self.deserialize(self.fmt, req.get_response(self.api))
            self.assertTrue(res['network']['shared'])

+    def test_update_network_set_shared_owner_returns_404(self):
+        with self.network(shared=False) as network:
+            net_owner = network['network']['tenant_id']
+            data = {'network': {'shared': True}}
+            req = self.new_update_request('networks',
+                                          data,
+                                          network['network']['id'])
+            req.environ['neutron.context'] = context.Context('u', net_owner)
+            res = req.get_response(self.api)
+            self.assertEqual(res.status_int, webob.exc.HTTPNotFound.code)
+
    def test_update_network_with_subnet_set_shared(self):
        with self.network(shared=False) as network:
            with self.subnet(network=network) as subnet: