Honor keystone policy file when creating client

When creating the keystone client for an admin the user is checked for the specific role of "admin" to determine if they are authorized to use the admin URL. This patch changes this logic so that the policy file is honored instead of a specific role. Closes-Bug: #1336418 Change-Id: I600334dff17a5564f97cbcce67ff6d3619142961
openstack · Nov 6, 2014 · 45ae78c · 45ae78c
1 parent 9f904e3
commit 45ae78c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/openstack_dashboard/api/keystone.py b/openstack_dashboard/api/keystone.py
@@ -34,6 +34,7 @@
 from horizon.utils import functions as utils
 
 from openstack_dashboard.api import base
+from openstack_dashboard import policy
 
 
 LOG = logging.getLogger(__name__)
@@ -143,7 +144,7 @@ def keystoneclient(request, admin=False):
     """
     user = request.user
     if admin:
-        if not user.is_superuser:
+        if not policy.check(("identity", "admin_required"), request):
             raise exceptions.NotAuthorized
         endpoint_type = 'adminURL'
     else: