From 6e17b4653cda02311d6e09fa7e2abd49ff7aee39 Mon Sep 17 00:00:00 2001 From: Sylvain Afchain Date: Fri, 3 Oct 2014 18:18:12 +0200 Subject: [PATCH] Only allows admin users to change the user_visible This patch add a check to avoid a non admin user to change the default user_visible value. Change-Id: Iba48443f97fe0dac2f63f8350a891bd06ee50f1f Closes-bug: #1377230 --- src/config/api-server/vnc_perms.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/config/api-server/vnc_perms.py b/src/config/api-server/vnc_perms.py index ff5ffdea8b0..547df3d8102 100644 --- a/src/config/api-server/vnc_perms.py +++ b/src/config/api-server/vnc_perms.py @@ -21,6 +21,10 @@ def _multi_tenancy(self): return self._server_mgr._args.multi_tenancy # end + def validate_user_visible_perm(self, id_perms, is_admin): + return id_perms['user_visible'] is not False or is_admin + # end + def validate_perms(self, request, uuid, mode=PERMS_R): # retrieve object and permissions try: @@ -51,11 +55,15 @@ def validate_perms(self, request, uuid, mode=PERMS_R): mode_mask = mode | mode << 3 | mode << 6 ok = is_admin or (mask & perms & mode_mask) + if ok and mode == PERMS_W: + ok = self.validate_user_visible_perm(id_perms, is_admin) + msg = '%s %s %s admin=%s, mode=%03o mask=%03o %s/"%s", \ - perms=%03o (%s/%s)' \ + perms=%03o (%s/%s), user_visible=%s' \ % ('+++' if ok else '---', self.mode_str[mode], uuid, 'yes' if is_admin else 'no', mode_mask, mask, - user, string.join(roles, ','), perms, owner, group) + user, string.join(roles, ','), perms, owner, group, + id_perms['user_visible']) self._server_mgr.config_log(msg, level=SandeshLevel.SYS_DEBUG) return (True, '') if ok else (False, err_msg)