Hey Scott,
Looks like there is some issues with the migration. I get an error when running rake migrate.
Basically, default_template_role is not defined anywhere and there is a comma missing out of the list on the next line.
I tried setting the default_template_role to the role defined in the transaction, and adding the comma.
This allows us to run migrations successfully, but when running cucumber tests I am getting a cucumber error, shown below:
Could you take a look at these errors and resend.
Thanks
Martyn
(::) failed steps (::)
expected the following element's content to include "new Permission":
(Spec::Expectations::ExpectationNotMetError) ./features/step_definitions/web_steps.rb:151:in `/^(?:|I )should see "([^"]*)"$/' features/permission.feature:30:in `Then I should see "new Permission"'
Failing Scenarios: cucumber features/permission.feature:24 # Scenario: Create a permission which already exists.
----- Original Message ----- From: "Scott Seago" sseago@redhat.com To: aeolus-devel@lists.fedorahosted.org Sent: Thursday, 24 March, 2011 12:59:52 AM Subject: [PATCH] add top-level template permissions so end users can create templates and start instances.
Signed-off-by: Scott Seago sseago@redhat.com --- .../controllers/resources/instances_controller.rb | 4 +- src/app/models/permission.rb | 3 +- src/app/services/registration_service.rb | 12 +++-- .../20110322120000_add_template_creator_role.rb | 47 ++++++++++++++++++++ src/db/seeds.rb | 10 +++- src/lib/tasks/dc_tasks.rake | 13 ++++-- src/spec/services/registration_service_spec.rb | 6 ++- 7 files changed, 79 insertions(+), 16 deletions(-) create mode 100644 src/db/migrate/20110322120000_add_template_creator_role.rb
diff --git a/src/app/controllers/resources/instances_controller.rb b/src/app/controllers/resources/instances_controller.rb index 234fe6b..f857aa7 100644 --- a/src/app/controllers/resources/instances_controller.rb +++ b/src/app/controllers/resources/instances_controller.rb @@ -168,7 +168,7 @@ class Resources::InstancesController < ApplicationController end
def init_new_instance_attrs - @pools = Pool.list_for_user(@current_user, Privilege::MODIFY, :target_type => Instance) + @pools = Pool.list_for_user(@current_user, Privilege::CREATE, :target_type => Instance) @realms = FrontendRealm.all @hardware_profiles = HardwareProfile.all( :include => :architecture, @@ -189,7 +189,7 @@ class Resources::InstancesController < ApplicationController {:name => 'CREATED BY', :sort_attr => 'users.last_name'}, ]
- @pools = Pool.list_for_user(@current_user, Privilege::MODIFY, :target_type => Instance) + @pools = Pool.list_for_user(@current_user, Privilege::CREATE, :target_type => Instance) end
def load_instances diff --git a/src/app/models/permission.rb b/src/app/models/permission.rb index dc10166..34e37bd 100644 --- a/src/app/models/permission.rb +++ b/src/app/models/permission.rb @@ -40,7 +40,8 @@ class Permission < ActiveRecord::Base
validates_presence_of :user_id validates_uniqueness_of :user_id, :scope => [:permission_object_id, - :permission_object_type] + :permission_object_type, + :role_id]
belongs_to :permission_object, :polymorphic => true # type-specific associations diff --git a/src/app/services/registration_service.rb b/src/app/services/registration_service.rb index 046fdcd..dfa5d88 100644 --- a/src/app/services/registration_service.rb +++ b/src/app/services/registration_service.rb @@ -21,11 +21,13 @@ class RegistrationService end
@user.save! - - self_service_default_role = MetadataObject.lookup("self_service_default_role") - self_service_default_pool = MetadataObject.lookup("self_service_default_pool") - Permission.create!(:user => @user, :role => self_service_default_role, - :permission_object => self_service_default_pool) + MetadataObject.lookup("self_service_perms_list").split.each do |x| + obj_key, role_key = x.split(",") + default_obj = MetadataObject.lookup(obj_key) + default_role = MetadataObject.lookup(role_key) + Permission.create!(:user => @user, :role => default_role, + :permission_object => default_obj) + end return true rescue ActiveRecord::RecordInvalid => e Rails.logger.error e.message diff --git a/src/db/migrate/20110322120000_add_template_creator_role.rb b/src/db/migrate/20110322120000_add_template_creator_role.rb new file mode 100644 index 0000000..df13ac0 --- /dev/null +++ b/src/db/migrate/20110322120000_add_template_creator_role.rb @@ -0,0 +1,47 @@ +# +# Copyright (C) 2011 Red Hat, Inc. +# Written by Scott Seago sseago@redhat.com +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. A copy of the GNU General Public License is +# also available at http://www.gnu.org/copyleft/gpl.html. + +class AddTemplateCreatorRole < ActiveRecord::Migration + + + def self.up + unless Role.all.empty? + Role.transaction do + role_name = "Template Creator" + role = Role.find_or_initialize_by_name(role_name) + role.update_attributes({:name => role_name, :scope => BasePermissionObject.name, + :assign_to_owner => false}) + role.save! + ["view","use","create"].each do |action| + Privilege.create!(:role => role, :target_type => Template.name, + :action => action) + end + end + settings = {"self_service_default_template_obj" => BasePermissionObject.general_permission_scope, + "self_service_default_template_role" => default_template_role, + "self_service_perms_list" => "self_service_default_pool,self_service_default_role self_service_default_template_obj,self_service_default_template_role"} + settings.each_pair do |key, value| + MetadataObject.set(key, value) + end + end + end + + def self.down + end +end diff --git a/src/db/seeds.rb b/src/db/seeds.rb index cf23e60..b29ef3d 100644 --- a/src/db/seeds.rb +++ b/src/db/seeds.rb @@ -57,6 +57,7 @@ roles = Quota => [VIEW, MOD], PoolFamily => [VIEW, MOD,CRE,VPRM,GPRM]}], "Template Administrator" => [false, {Template => [VIEW,USE,MOD,CRE,VPRM,GPRM]}], + "Template Creator" => [false, {Template => [VIEW,USE, CRE]}], "Administrator" => [false, {Provider => [VIEW, MOD,CRE,VPRM,GPRM], ProviderAccount => [VIEW,USE,MOD,CRE,VPRM,GPRM], HardwareProfile => [ MOD,CRE,VPRM,GPRM], @@ -92,14 +93,19 @@ BasePermissionObject.create!(:name => "general_permission_scope") # Set meta objects MetadataObject.set("default_pool_family", PoolFamily.find_by_name('default'))
-default_pool = Pool.find_by_name("default_pool") default_quota = Quota.create
+default_pool = Pool.find_by_name("default_pool") default_role = Role.find_by_name("Pool User") +default_template_role = Role.find_by_name("Template Creator") + settings = {"allow_self_service_logins" => "true", "self_service_default_quota" => default_quota, "self_service_default_pool" => default_pool, - "self_service_default_role" => default_role} + "self_service_default_role" => default_role, + "self_service_default_template_obj" => BasePermissionObject.general_permission_scope, + "self_service_default_template_role" => default_template_role, + "self_service_perms_list" => "self_service_default_pool,self_service_default_role self_service_default_template_obj,self_service_default_template_role"} settings.each_pair do |key, value| MetadataObject.set(key, value) end diff --git a/src/lib/tasks/dc_tasks.rake b/src/lib/tasks/dc_tasks.rake index f7e853d..8255d32 100644 --- a/src/lib/tasks/dc_tasks.rake +++ b/src/lib/tasks/dc_tasks.rake @@ -46,10 +46,15 @@ namespace :dc do puts "Permission already granted for user #{args.login}" exit(1) end - - user.permissions << Permission.new(:role => Role.find_by_name('Administrator'), - :permission_object => BasePermissionObject.general_permission_scope) - puts "Granting administrator privileges for #{args.login}..." + permission = Permission.new(:role => Role.find_by_name('Administrator'), + :permission_object => BasePermissionObject.general_permission_scope, + :user => user) + if permission.save + puts "Granting administrator privileges for #{args.login}..." + else + puts "Granting administrator privileges for #{args.login} failed #{permission.errors.to_xml}" + exit(1) + end end
diff --git a/src/spec/services/registration_service_spec.rb b/src/spec/services/registration_service_spec.rb index 810fe6e..ea38412 100644 --- a/src/spec/services/registration_service_spec.rb +++ b/src/spec/services/registration_service_spec.rb @@ -17,7 +17,7 @@ describe RegistrationService do end end
- it "should register a user with default pool/quota/role when default settings set" do + it "should register a user with default pool/quota/role/template perms when default settings set" do @user = Factory :user @pool = MetadataObject.lookup("self_service_default_pool") @role = MetadataObject.lookup("self_service_default_role") @@ -33,6 +33,8 @@ describe RegistrationService do
@user.quota.maximum_running_instances.should == @quota.maximum_running_instances @user.quota.maximum_total_instances.should == @quota.maximum_total_instances + BasePermissionObject.general_permission_scope.has_privilege(@user,Privilege::CREATE, Template).should == true + BasePermissionObject.general_permission_scope.has_privilege(@user,Privilege::USE, Template).should == true end
end @@ -51,7 +53,7 @@ describe RegistrationService do lambda do lambda do registration_process.save.should be_true - end.should change(Permission, :count).by(1) + end.should change(Permission, :count).by(2) end.should change(User, :count).by(1) end.should change(Quota, :count).by(1)