So to check 'provider_view' privilege for the "current object" then call as before: has_provider_view?
To check against a specific object then pass it in as a parameter:
has_quota_modify?(pool) has_pool_view?(BasePortalObject.general_permission_scope
Signed-off-by: Scott Seago sseago@redhat.com --- src/app/controllers/application_controller.rb | 4 ++-- src/app/services/application_service.rb | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/app/controllers/application_controller.rb b/src/app/controllers/application_controller.rb index 214eb2b..d7b135b 100644 --- a/src/app/controllers/application_controller.rb +++ b/src/app/controllers/application_controller.rb @@ -56,8 +56,8 @@ class ApplicationController < ActionController::Base
perm_helper_string = "" Privilege::FULL_PRIVILEGE_LIST.each do |privilege| - perm_helper_string += "def has_#{privilege}?; " + - "check_privilege("#{privilege}") end; " + perm_helper_string += "def has_#{privilege}?(obj=@perm_obj); " + + "check_privilege("#{privilege}", obj) end; " end master_helper_module.module_eval perm_helper_string
diff --git a/src/app/services/application_service.rb b/src/app/services/application_service.rb index e2c45cb..f72f83d 100644 --- a/src/app/services/application_service.rb +++ b/src/app/services/application_service.rb @@ -40,14 +40,14 @@ module ApplicationService
# @current_user must be defined
- def check_privilege(privilege) - ((@perm_obj and @perm_obj.has_privilege(@current_user, privilege)) or + def check_privilege(privilege, perm_obj) + ((perm_obj and perm_obj.has_privilege(@current_user, privilege)) or BasePortalObject.general_permission_scope.has_privilege(@current_user, privilege)) end def authorized?(privilege, perm_obj=nil) @perm_obj = perm_obj - check_privilege(privilege) + check_privilege(privilege,@perm_obj) end def require_privilege(privilege, perm_obj=nil) unless authorized?(privilege, perm_obj)
The views will change with the coming redesign, and backlinks _from_ the permission pages back to the pool/account/etc pages are not yet defined.
Signed-off-by: Scott Seago sseago@redhat.com --- src/app/controllers/application_controller.rb | 2 + src/app/controllers/permissions_controller.rb | 90 +++++++++++++++++++++++++ src/app/models/cloud_account.rb | 4 + src/app/views/layouts/_main_nav.html.erb | 1 + src/app/views/permissions/list.html.erb | 31 +++++++++ src/app/views/permissions/new.html.erb | 17 +++++ src/app/views/portal_pool/accounts.html.erb | 8 ++ src/app/views/portal_pool/show.html.erb | 3 +- src/app/views/provider/show.html.erb | 1 + 9 files changed, 156 insertions(+), 1 deletions(-) create mode 100644 src/app/controllers/permissions_controller.rb create mode 100644 src/app/views/permissions/list.html.erb create mode 100644 src/app/views/permissions/new.html.erb
diff --git a/src/app/controllers/application_controller.rb b/src/app/controllers/application_controller.rb index d7b135b..a71f53d 100644 --- a/src/app/controllers/application_controller.rb +++ b/src/app/controllers/application_controller.rb @@ -61,6 +61,8 @@ class ApplicationController < ActionController::Base end master_helper_module.module_eval perm_helper_string
+ helper_method :check_privilege + protected # permissions checking
diff --git a/src/app/controllers/permissions_controller.rb b/src/app/controllers/permissions_controller.rb new file mode 100644 index 0000000..257f2b1 --- /dev/null +++ b/src/app/controllers/permissions_controller.rb @@ -0,0 +1,90 @@ +# +# Copyright (C) 2009 Red Hat, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. A copy of the GNU General Public License is +# also available at http://www.gnu.org/copyleft/gpl.html. + +# Filters added to this controller apply to all controllers in the application. +# Likewise, all the methods added will be available for all controllers. + +class PermissionsController < ApplicationController + before_filter :require_user + + def show + @permission = Permission.find(params[:id]) + require_privilege(Privilege::PERM_VIEW, @permission.permission_object) + end + + def list + set_permission_object Privilege::PERM_VIEW + end + + def new + set_permission_object Privilege::PERM_SET + @permission = Permission.new(:permission_object_type => @permission_object.class, + :permission_object_id => @permission_object.id) + @users = User.all + @roles = Role.find_all_by_scope(@permission_object.class.name) + end + + def create + @permission = Permission.new(params[:permission]) + require_privilege(Privilege::PERM_SET, @permission.permission_object) + if request.post? && @permission.save + flash[:notice] = "Permission record added." + redirect_to :action => "list", + :permission_object_type => @permission.permission_object_type, + :permission_object_id => @permission.permission_object_id + else + @permission_object = @permission.permission_object + render :action => 'new' + end + end + + def destroy + if request.post? + p =Permission.find(params[:permission][:id]) + require_privilege(Privilege::PERM_SET, p.permission_object) + p.destroy + end + redirect_to :action => "list", + :permission_object_type => p.permission_object_type, + :permission_object_id => p.permission_object_id + end + + private + + def set_permission_object(privilege) + if !params[:permission_object_type].nil? + @permission_object = + params[:permission_object_type].constantize.find(params[:permission_object_id]) + elsif !params[:portal_pool_id].nil? + @permission_object = PortalPool.find params[:portal_pool_id] + elsif !params[:provider_id].nil? + @permission_object = Provider.find params[:provider_id] + elsif !params[:cloud_account_id].nil? + @permission_object = CloudAccount.find params[:cloud_account_id] + elsif !params[:base_portal_object_id].nil? + @permission_object = BasePortalObject.find params[:base_portal_object_id] + else + @permission_object = BasePortalObject.general_permission_scope + end + + raise ActiveRecord::RecordNotFound if @permission_object.nil? + + require_privilege(privilege, @permission_object) + end + +end diff --git a/src/app/models/cloud_account.rb b/src/app/models/cloud_account.rb index 6d44b64..da7e8dd 100644 --- a/src/app/models/cloud_account.rb +++ b/src/app/models/cloud_account.rb @@ -56,4 +56,8 @@ class CloudAccount < ActiveRecord::Base def account_prefix_for_realm provider.name + Realm::AGGREGATOR_REALM_PROVIDER_DELIMITER + username end + + def name + username + end end diff --git a/src/app/views/layouts/_main_nav.html.erb b/src/app/views/layouts/_main_nav.html.erb index 1894cb4..e53af7f 100644 --- a/src/app/views/layouts/_main_nav.html.erb +++ b/src/app/views/layouts/_main_nav.html.erb @@ -1,6 +1,7 @@ <%=link_to "Add a provider", {:controller => "provider", :action => "new"}, :class => "actionlink" %>
<%=link_to "Add a pool", {:controller => "portal_pool", :action => "new"}, :class => "actionlink" %> +<%= link_to "User access", {:controller => "permissions", :action => "list"}, :class=>"actionlink" if has_view_perms?(BasePortalObject.general_permission_scope) %> <h3>Providers</h3> <ul id="providers"> <% cur_id = params[:id].to_i %> diff --git a/src/app/views/permissions/list.html.erb b/src/app/views/permissions/list.html.erb new file mode 100644 index 0000000..4c7241f --- /dev/null +++ b/src/app/views/permissions/list.html.erb @@ -0,0 +1,31 @@ +<% if @permission_object.permissions.size == 0 %> +<h1>There are no permissions defined on <%= @permission_object.name%></h1> +<% else %> + <table> + <thead> + <tr> + <th scope="col">User</th> + <th scope="col">Role</th> + <th scope="col">Action</th> + </tr> + </thead> + <tbody> + <%@permission_object.permissions.each {|permission| %> + <tr> + <td><%= permission.user.login %></td> + <td><%= permission.role.name %></td> + <td> + <% form_tag :action => 'destroy' do %> + <%= hidden_field :permission, :id, :value => permission.id %> + <%= submit_tag "delete", :class => "submit_link" %> + <% end %> + </td> + </tr> + <% } %> + </tbody> + </table> +<% end %> +<%= link_to "Add a new permission record", + {:action => "new", + :permission_object_type => @permission_object.class, + :permission_object_id => @permission_object.id}, :class=>"actionlink"%> diff --git a/src/app/views/permissions/new.html.erb b/src/app/views/permissions/new.html.erb new file mode 100644 index 0000000..dd102ce --- /dev/null +++ b/src/app/views/permissions/new.html.erb @@ -0,0 +1,17 @@ +<div class="dcloud_form"> + <%= error_messages_for 'permission' %> + + <h2>Add new Permission for <%= @permission_object.name %></h2><br /> + <% form_tag :action => 'create' do-%> + <ul> + <li><label>User<span>User to receive permission grant</span></label> + <%= select("permission", "user_id", @users.collect {|u| [ u.login, u.id ] }, { :include_blank => true }) %> + </li> + <li><label>Role</label> + <%= select("permission", "role_id", @roles.collect {|r| [ r.name, r.id ] }, { :include_blank => true }) %> + </li> + <%= hidden_field :permission, :permission_object_type %> + <%= hidden_field :permission, :permission_object_id %> + <%= submit_tag "Save", :class => "submit" %> + <% end %> +</div> diff --git a/src/app/views/portal_pool/accounts.html.erb b/src/app/views/portal_pool/accounts.html.erb index e6b4f1c..3a95eae 100644 --- a/src/app/views/portal_pool/accounts.html.erb +++ b/src/app/views/portal_pool/accounts.html.erb @@ -6,6 +6,7 @@ <tr> <th scope="col">Provider</th> <th scope="col">Username</th> + <th scope="col">Actions</th> </tr> </thead> <tbody> @@ -13,6 +14,13 @@ <tr> <td><%= account.provider.name %></td> <td><%= account.username %></td> + <td> + <%= link_to "User access", + {:controller => "permissions", + :action => "list", + :cloud_account_id => account.id}, + :class=>"actionlink" if has_view_perms?(account) %> + </td> </tr> <% } %> </tbody> diff --git a/src/app/views/portal_pool/show.html.erb b/src/app/views/portal_pool/show.html.erb index 128d74c..31e2d7c 100644 --- a/src/app/views/portal_pool/show.html.erb +++ b/src/app/views/portal_pool/show.html.erb @@ -36,7 +36,8 @@ </table> <% end %> <%= link_to "Add a new instance", {:controller => "instance", :action => "new", :id => @pool}, :class=>"actionlink"%> -<%= link_to "Accounts", {:action => "accounts", :id => @pool.id}, :class=>"actionlink"%> +<%= link_to "Back end Accounts", {:action => "accounts", :id => @pool.id}, :class=>"actionlink"%> +<%= link_to "User access", {:controller => "permissions", :action => "list", :portal_pool_id => @pool.id}, :class=>"actionlink" if has_view_perms? %> <%= link_to "Hardware Profiles", {:action => "hardware_profiles", :id => @pool.id}, :class=>"actionlink"%> <%=link_to "View Images", {:controller => "portal_pool", :action => "images", :portal_pool => @pool}, :class => "actionlink" %> <%= link_to "Realms", {:action => "realms", :id => @pool.id}, :class=>"actionlink"%> diff --git a/src/app/views/provider/show.html.erb b/src/app/views/provider/show.html.erb index c00cfbf..2ec5f62 100644 --- a/src/app/views/provider/show.html.erb +++ b/src/app/views/provider/show.html.erb @@ -21,6 +21,7 @@ <%= link_to "Add a pool", {:controller => "portal_pool", :action => "new", :provider => @provider}, :class => "actionlink" %> <%= link_to "Realms", {:action => "realms", :id => @provider.id}, :class=>"actionlink"%> <%= link_to "Accounts", {:action => "accounts", :id => @provider.id}, :class=>"actionlink"%> +<%= link_to "User access", {:controller => "permissions", :action => "list", :provider_id => @provider.id}, :class=>"actionlink" if has_view_perms? %> <% form_tag :action => 'destroy' do %> <%=hidden_field :provider, :id %> <%= submit_tag "Delete Provider", :class => "submit_link" %>
On 03/29/2010 01:52 PM, Scott Seago wrote:
So to check 'provider_view' privilege for the "current object" then call as before: has_provider_view?
To check against a specific object then pass it in as a parameter:
has_quota_modify?(pool) has_pool_view?(BasePortalObject.general_permission_scope
Signed-off-by: Scott Seagosseago@redhat.com
src/app/controllers/application_controller.rb | 4 ++-- src/app/services/application_service.rb | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/app/controllers/application_controller.rb b/src/app/controllers/application_controller.rb index 214eb2b..d7b135b 100644 --- a/src/app/controllers/application_controller.rb +++ b/src/app/controllers/application_controller.rb @@ -56,8 +56,8 @@ class ApplicationController< ActionController::Base
perm_helper_string = "" Privilege::FULL_PRIVILEGE_LIST.each do |privilege|
- perm_helper_string += "def has_#{privilege}?; " +
"check_privilege(\"#{privilege}\") end; "
- perm_helper_string += "def has_#{privilege}?(obj=@perm_obj); " +
"check_privilege(\"#{privilege}\", obj) end; "diff --git a/src/app/services/application_service.rb b/src/app/services/application_service.rb index e2c45cb..f72f83d 100644 --- a/src/app/services/application_service.rb +++ b/src/app/services/application_service.rb @@ -40,14 +40,14 @@ module ApplicationService
# @current_user must be defined
- def check_privilege(privilege)
- ((@perm_obj and @perm_obj.has_privilege(@current_user, privilege)) or
- def check_privilege(privilege, perm_obj)
- ((perm_obj and perm_obj.has_privilege(@current_user, privilege)) or BasePortalObject.general_permission_scope.has_privilege(@current_user, privilege)) end def authorized?(privilege, perm_obj=nil) @perm_obj = perm_obj
- check_privilege(privilege)
- check_privilege(privilege,@perm_obj) end def require_privilege(privilege, perm_obj=nil) unless authorized?(privilege, perm_obj)
ACK. Looks good.
-Mo
deltacloud-devel@lists.fedorahosted.org
-
Mo Morsi -
Scott Seago