summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Callaghan <dcallagh@redhat.com>2014-07-08 21:05:58 +1000
committerDan Callaghan <dcallagh@redhat.com>2014-07-09 08:06:51 +1000
commitd83caddcb20053e2ef4ce3450c87693342360c84 (patch)
tree34d811bba6f0a3334676da9ef75073c1db4cd9a4
parent8dec804f5d240b3a8a18179ec6a9bc0d002930a6 (diff)
power CSV export should only include systems which the user can edit
The web UI hides power config from users unless they have permission to edit the system, power CSV export should apply the same restriction. Bug: 1116722 Change-Id: I6b7948311ef11c14fd2d2b9fe262f8e34b243d55
-rw-r--r--IntegrationTests/src/bkr/inttest/server/selenium/test_csv_export.py43
-rw-r--r--Server/bkr/server/CSV_import_export.py5
-rw-r--r--Server/bkr/server/model/inventory.py9
3 files changed, 54 insertions, 3 deletions
diff --git a/IntegrationTests/src/bkr/inttest/server/selenium/test_csv_export.py b/IntegrationTests/src/bkr/inttest/server/selenium/test_csv_export.py
index cc5efe6..aaad160 100644
--- a/IntegrationTests/src/bkr/inttest/server/selenium/test_csv_export.py
+++ b/IntegrationTests/src/bkr/inttest/server/selenium/test_csv_export.py
@@ -9,9 +9,9 @@
from turbogears.database import session
from bkr.inttest import data_setup, get_server_base
from bkr.inttest.server.selenium import WebDriverTestCase
-from bkr.inttest.server.webdriver_utils import login
+from bkr.inttest.server.webdriver_utils import login, logout
from bkr.server.model import Provision, ProvisionFamily, ProvisionFamilyUpdate, \
- ExcludeOSMajor
+ ExcludeOSMajor, SystemPermission
import csv
import requests
@@ -138,6 +138,45 @@ class CSVExportTest(WebDriverTestCase):
self.assert_(not any(row['fqdn'] == secret_system.fqdn
for row in csv.DictReader(csv_request)))
+ def test_export_power(self):
+ with session.begin():
+ system = data_setup.create_system()
+ data_setup.configure_system_power(system, power_type=u'drac',
+ address=u'100 East Davie Street', user=u'Shadowman',
+ password=u'usethesource', power_id=u'666')
+ login(self.browser)
+ csv_request = self.get_csv('power')
+ row, = [row for row in csv.DictReader(csv_request)
+ if row['fqdn'] == system.fqdn]
+ self.assertEquals(row, {
+ 'csv_type': 'power',
+ 'fqdn': system.fqdn,
+ 'power_type': 'drac',
+ 'power_address': '100 East Davie Street',
+ 'power_user': 'Shadowman',
+ 'power_passwd': 'usethesource',
+ 'power_id': '666',
+ })
+
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1116722
+ def test_export_power_does_not_leak_power_config(self):
+ with session.begin():
+ unprivileged_user = data_setup.create_user(password=u'asdf')
+ privileged_user = data_setup.create_user(password=u'asdf')
+ system = data_setup.create_system(shared=True)
+ system.custom_access_policy.add_rule(SystemPermission.edit_system,
+ user=privileged_user)
+ b = self.browser
+ login(b, user=privileged_user.user_name, password=u'asdf')
+ csv_request = self.get_csv('power')
+ fqdns = [row['fqdn'] for row in csv.DictReader(csv_request)]
+ self.assertIn(system.fqdn, fqdns)
+ logout(b)
+ login(b, user=unprivileged_user.user_name, password=u'asdf')
+ csv_request = self.get_csv('power')
+ fqdns = [row['fqdn'] for row in csv.DictReader(csv_request)]
+ self.assertNotIn(system.fqdn, fqdns)
+
# https://bugzilla.redhat.com/show_bug.cgi?id=785048
def test_export_exclude_options(self):
with session.begin():
diff --git a/Server/bkr/server/CSV_import_export.py b/Server/bkr/server/CSV_import_export.py
index 29d03e2..1cb832b 100644
--- a/Server/bkr/server/CSV_import_export.py
+++ b/Server/bkr/server/CSV_import_export.py
@@ -529,7 +529,10 @@ class CSV_Power(CSV):
@classmethod
def query(cls):
- for system in System.all(identity.current.user).join(System.power):
+ query = System.all(identity.current.user)\
+ .filter(System.can_edit(identity.current.user))\
+ .join(System.power)
+ for system in query:
yield CSV_Power(system.power)
def __init__(self, power):
diff --git a/Server/bkr/server/model/inventory.py b/Server/bkr/server/model/inventory.py
index 627279f..a620e43 100644
--- a/Server/bkr/server/model/inventory.py
+++ b/Server/bkr/server/model/inventory.py
@@ -607,6 +607,7 @@ class System(DeclarativeMappedObject, ActivityMixin):
return True
return False
+ @hybrid_method
def can_edit(self, user):
"""
Does the given user have permission to edit details (inventory info,
@@ -622,6 +623,14 @@ class System(DeclarativeMappedObject, ActivityMixin):
return True
return False
+ @can_edit.expression
+ def can_edit(cls, user): #pylint: disable=E0213
+ cls._ensure_user_is_authenticated(user)
+ if user.is_admin():
+ return true()
+ return or_(SystemAccessPolicy.grants(user, SystemPermission.edit_system),
+ cls.owner == user)
+
def can_lend(self, user):
"""
Does the given user have permission to loan this system to another user?