role base filtering for main admin pages
diff --git a/plstackapi/core/admin.py b/plstackapi/core/admin.py
index 2ddc73b..422ff4b 100644
--- a/plstackapi/core/admin.py
+++ b/plstackapi/core/admin.py
@@ -144,6 +144,17 @@
inlines = [NodeInline,]
search_fields = ['name']
+ def queryset(self, request):
+ # admins can see all keys. Users can only see sites they belong to.
+ qs = super(SiteAdmin, self).queryset(request)
+ if not request.user.is_admin:
+ valid_sites = [request.user.site.login_base]
+ roles = request.user.get_roles()
+ for tenant_list in roles.values():
+ valid_sites.extend(tenant_list)
+ qs = qs.filter(login_base__in=valid_sites)
+ return qs
+
def get_formsets(self, request, obj=None):
for inline in self.get_inline_instances(request, obj):
# hide MyInline in the add view
@@ -161,6 +172,20 @@
]
list_display = ('user', 'site', 'role')
+ def queryset(self, request):
+ # admins can see all privileges. Users can only see privileges at sites
+ # where they have the admin role.
+ qs = super(SitePrivilegeAdmin, self).queryset(request)
+ if not request.user.is_admin:
+ roles = request.user.get_roles()
+ tenants = []
+ for (role, tenant_list) in roles:
+ if role == 'admin':
+ tenants.extend(tenant_list)
+ valid_sites = Sites.objects.filter(login_base__in=tenants)
+ qs = qs.filter(site__in=valid_sites)
+ return qs
+
def save_model(self, request, obj, form, change):
# update openstack connection to use this site/tenant
auth = request.session.get('auth', {})
@@ -194,6 +219,17 @@
list_display = ('name', 'site','serviceClass', 'slice_url')
inlines = [SliverInline]
+ def queryset(self, request):
+ # admins can see all keys. Users can only see slices they belong to.
+ qs = super(SliceAdmin, self).queryset(request)
+ if not request.user.is_admin:
+ valid_slices = []
+ roles = request.user.get_roles()
+ for tenant_list in roles.values():
+ valid_slices.extend(tenant_list)
+ qs = qs.filter(name__in=valid_slices)
+ return qs
+
def get_formsets(self, request, obj=None):
for inline in self.get_inline_instances(request, obj):
# hide MyInline in the add view
@@ -218,6 +254,20 @@
]
list_display = ('user', 'slice', 'role')
+ def queryset(self, request):
+ # admins can see all memberships. Users can only see memberships of
+ # slices where they have the admin role.
+ qs = super(SliceMembershipAdmin, self).queryset(request)
+ if not request.user.is_admin:
+ roles = request.user.get_roles()
+ tenants = []
+ for (role, tenant_list) in roles:
+ if role == 'admin':
+ tenants.extend(tenant_list)
+ valid_slices = Slice.objects.filter(name__in=tenants)
+ qs = qs.filter(slice__in=valid_slices)
+ return qs
+
def save_model(self, request, obj, form, change):
# update openstack connection to use this site/tenant
auth = request.session.get('auth', {})
@@ -258,6 +308,19 @@
]
list_display = ['ip', 'instance_name', 'slice', 'numberCores', 'image', 'key', 'node', 'deploymentNetwork']
+ def queryset(self, request):
+ # admins can see all slivers. Users can only see slivers of
+ # the slices they belong to.
+ qs = super(SliverAdmin, self).queryset(request)
+ if not request.user.is_admin:
+ tenants = []
+ roles = request.user.get_roles()
+ for tenant_list in roles.values():
+ tenants.extend(tenant_list)
+ valid_slices = Slice.objects.filter(name__in=tenants)
+ qs = qs.filter(slice__in=valid_slices)
+ return qs
+
def get_formsets(self, request, obj=None):
# make some fields read only if we are updating an existing record
if obj == None:
diff --git a/plstackapi/core/models/pluser.py b/plstackapi/core/models/pluser.py
index d51572b..8d09310 100644
--- a/plstackapi/core/models/pluser.py
+++ b/plstackapi/core/models/pluser.py
@@ -102,9 +102,9 @@
slice_memberships = SliceMembership.objects.filter(user=self)
roles = defaultdict(list)
for site_privilege in site_privileges:
- roles[site_privilege.site.login_base].append(site_privilege.role.role_type)
+ roles[site_privilege.role.role_type].append(site_privilege.site.login_base)
for slice_membership in slice_memberships:
- roles[slice_membership.slice.name].append(slice_membership.role.role_type)
+ roles[slice_membership.role.role_type].append(slice_membership.slice.name)
return roles
def save(self, *args, **kwds):