commit 2d281a9415185b4607a4f526639800cf7929e45d
author Scott Baker <smbaker@gmail.com> Thu Jul 09 19:06:08 2015 -0700
committer Scott Baker <smbaker@gmail.com> Thu Jul 09 19:06:08 2015 -0700
tree 9cd52cf8a99edc8c8499f64726f8be00bd40c0af
parent 5eec163f134fb5817c24f5547f6d3c8f02e7aece

if a user adds a sliver and doesn't have privilege, then throw an error

xos/core/admin.py

diff --git a/xos/core/admin.py b/xos/core/admin.py
index beeb982..8ef7a53 100644
--- a/xos/core/admin.py
+++ b/xos/core/admin.py
@@ -19,7 +19,9 @@
 from django.utils.html import conditional_escape, format_html
 from django.utils.text import capfirst
 from django.forms.utils import flatatt, to_current_timezone
+from django.core.exceptions import PermissionDenied, ValidationError
 from cgi import escape as html_escape
+from django.contrib import messages
 
 import django_evolution
 import threading
@@ -194,6 +196,21 @@
             return super(XOSAdminMixin, self).change_view(request, object_id, extra_context=extra_context)
         except PermissionDenied:
             pass
+        except ValidationError as e:
+            if (e.params is None):
+                # Validation errors that don't reference a specific field will
+                # often throw a non-descriptive 500 page to the user. The code
+                # below will cause an error message to be printed and the
+                # page refreshed instead.
+                # As a side-effect it turns the request back into a 'GET' which
+                # may wipe anything the user had changed on the page. But, at
+                # least the user gets a real error message.
+                # TODO: revisit this and display some kind of error view
+                request.method = 'GET'
+                messages.error(request, e.message)
+                return super(XOSAdminMixin, self).change_view(request, object_id, extra_context=extra_context)
+            else:
+                raise
         if request.method == 'POST':
             raise PermissionDenied
         request.readonly = True

xos/core/models/sliver.py

diff --git a/xos/core/models/sliver.py b/xos/core/models/sliver.py
index 6c102d5..5430dc7 100644
--- a/xos/core/models/sliver.py
+++ b/xos/core/models/sliver.py
@@ -16,6 +16,7 @@
 from django.contrib.contenttypes import generic
 from xos.config import Config
 from monitor import driver as monitor
+from django.core.exceptions import PermissionDenied, ValidationError
 
 config = Config()
 
@@ -114,6 +115,13 @@
         if not self.creator:
             raise ValidationError('sliver has no creator')
 
+        if (self.slice.creator != self.creator):
+            # Check to make sure there's a slice_privilege for the user. If there
+            # isn't, then keystone will throw an exception inside the observer.
+            slice_privs = SlicePrivilege.objects.filter(slice=self.slice, user=self.creator)
+            if not slice_privs:
+                raise ValidationError('sliver creator has no privileges on slice')
+
 # XXX smbaker - disabled for now, was causing fault in tenant view create slice
 #        if not self.controllerNetwork.test_acl(slice=self.slice):
 #            raise exceptions.ValidationError("Deployment %s's ACL does not allow any of this slice %s's users" % (self.controllerNetwork.name, self.slice.name))