refactor object write permissions
diff --git a/planetstack/core/models/controlleruser.py b/planetstack/core/models/controlleruser.py
index 678ab77..b3ba720 100644
--- a/planetstack/core/models/controlleruser.py
+++ b/planetstack/core/models/controlleruser.py
@@ -25,6 +25,9 @@
qs = ControllerUser.objects.filter(user__in=users)
return qs
+ def can_update(self, user):
+ return user.can_update_root()
+
class ControllerSitePrivilege(PlCoreBase):
objects = ControllerLinkManager()
diff --git a/planetstack/core/models/image.py b/planetstack/core/models/image.py
index 0bca22f..8d392a3 100644
--- a/planetstack/core/models/image.py
+++ b/planetstack/core/models/image.py
@@ -1,7 +1,7 @@
import os
from django.db import models
from core.models import PlCoreBase
-from core.models import Deployment,Controller,ControllerLinkManager,ControllerLinkDeletionManager
+from core.models import Deployment, DeploymentPrivilege, Controller,ControllerLinkManager,ControllerLinkDeletionManager
# Create your models here.
@@ -20,6 +20,9 @@
def __unicode__(self): return u'%s %s' % (self.image, self.deployment)
+ def can_update(self, user):
+ return user.can_update_deployment(self.deployment)
+
class ControllerImages(PlCoreBase):
objects = ControllerLinkManager()
deleted_objects = ControllerLinkDeletionManager()
@@ -28,5 +31,3 @@
glance_image_id = models.CharField(null=True, blank=True, max_length=200, help_text="Glance image id")
def __unicode__(self): return u'%s %s' % (self.image, self.controller)
-
-
diff --git a/planetstack/core/models/network.py b/planetstack/core/models/network.py
index c7a97a9..c9ae214 100644
--- a/planetstack/core/models/network.py
+++ b/planetstack/core/models/network.py
@@ -128,7 +128,7 @@
super(Network, self).save(*args, **kwds)
def can_update(self, user):
- return self.owner.can_update(user)
+ return user.can_update_slice(self.owner)
@property
def nat_list(self):
@@ -156,9 +156,6 @@
subnet_id = models.CharField(null=True, blank=True, max_length=256, help_text="Quantum subnet id")
subnet = models.CharField(max_length=32, blank=True)
- def can_update(self, user):
- return user.is_admin
-
@staticmethod
def select_by_user(user):
if user.is_admin:
@@ -190,7 +187,7 @@
def __unicode__(self): return u'%s-%s' % (self.network.name, self.slice.name)
def can_update(self, user):
- return self.slice.can_update(user)
+ return user.can_update_slice(self.slice)
@staticmethod
def select_by_user(user):
@@ -225,7 +222,7 @@
def __unicode__(self): return u'%s-%s' % (self.network.name, self.sliver.instance_name)
def can_update(self, user):
- return self.sliver.can_update(user)
+ return user.can_update_slice(self.sliver.slice)
@staticmethod
def select_by_user(user):
@@ -244,6 +241,9 @@
def __unicode__(self): return u'%s' % (self.name)
+ def can_update(self, user):
+ return user.can_update_slice(self.owner)
+
class NetworkParameterType(PlCoreBase):
name = models.SlugField(help_text="The name of this parameter", max_length=128)
description = models.CharField(max_length=1024)
diff --git a/planetstack/core/models/node.py b/planetstack/core/models/node.py
index 1cd0e40..bb4fe24 100644
--- a/planetstack/core/models/node.py
+++ b/planetstack/core/models/node.py
@@ -22,12 +22,4 @@
super(Node, self).save(*args, **kwds)
def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
- if SitePrivilege.objects.filter(
- user=user, site=self.site, role__role__in=['admin','tech']):
- return True
-
- return False
+ return user.can_update_site(self.site, allow=['tech'])
diff --git a/planetstack/core/models/plcorebase.py b/planetstack/core/models/plcorebase.py
index c86d675..97c3f82 100644
--- a/planetstack/core/models/plcorebase.py
+++ b/planetstack/core/models/plcorebase.py
@@ -193,12 +193,7 @@
self.silent = False
def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
-
- return False
+ return user.can_update_root()
def delete(self, *args, **kwds):
# so we have something to give the observer
diff --git a/planetstack/core/models/reservation.py b/planetstack/core/models/reservation.py
index 4dd1274..1a838a2 100644
--- a/planetstack/core/models/reservation.py
+++ b/planetstack/core/models/reservation.py
@@ -20,7 +20,7 @@
return self.startTime + datetime.timedelta(hours=self.duration)
def can_update(self, user):
- return self.slice.can_update(user)
+ return user.can_update_slice(self.slice)
@staticmethod
def select_by_user(user):
@@ -43,7 +43,7 @@
def __unicode__(self): return u'%d %s on %s' % (self.quantity, self.resource, self.sliver)
def can_update(self, user):
- return self.sliver.slice.can_update(user)
+ return user.can_update(self.sliver.slice)
@staticmethod
def select_by_user(user):
diff --git a/planetstack/core/models/site.py b/planetstack/core/models/site.py
index 10f23c3..b1b4871 100644
--- a/planetstack/core/models/site.py
+++ b/planetstack/core/models/site.py
@@ -111,15 +111,7 @@
def __unicode__(self): return u'%s' % (self.name)
def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
- site_privs = SitePrivilege.objects.filter(user=user, site=self)
- for site_priv in site_privs:
- if site_priv.role.role == 'pi':
- return True
- return False
+ return user.can_update_site(self, allow=['pi'])
class SiteRole(PlCoreBase):
@@ -143,7 +135,7 @@
super(SitePrivilege, self).delete(*args, **kwds)
def can_update(self, user):
- return self.site.can_update(user)
+ return user.can_update_site(self, allow=['pi'])
@staticmethod
def select_by_user(user):
@@ -204,16 +196,8 @@
return Deployment.objects.filter(id__in=ids)
def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
-
- if self.deploymentprivileges.filter(user=user, role__role='admin'):
- return True
-
- return False
-
+ return user.can_update_deploymemt(self)
+
def __unicode__(self): return u'%s' % (self.name)
class DeploymentRole(PlCoreBase):
@@ -235,15 +219,7 @@
def __unicode__(self): return u'%s %s %s' % (self.deployment, self.user, self.role)
def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
- dprivs = DeploymentPrivilege.objects.filter(user=user)
- for dpriv in dprivs:
- if dpriv.role.role == 'admin':
- return True
- return False
+ return user.can_update_deploymemt(self)
@staticmethod
def select_by_user(user):
@@ -278,13 +254,6 @@
def __unicode__(self): return u'%s %s %s' % (self.name, self.backend_type, self.version)
- def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
- return False
-
class SiteDeployment(PlCoreBase):
objects = ControllerLinkManager()
deleted_objects = ControllerLinkDeletionManager()
diff --git a/planetstack/core/models/slice.py b/planetstack/core/models/slice.py
index 476cf8e..d695295 100644
--- a/planetstack/core/models/slice.py
+++ b/planetstack/core/models/slice.py
@@ -81,22 +81,8 @@
super(Slice, self).save(*args, **kwds)
def can_update(self, user):
- if user.is_readonly:
- return False
- if user.is_admin:
- return True
- if user == self.creator:
- return True
- # slice admins can update
- if SlicePrivilege.objects.filter(
- user=user, slice=self, role__role='admin'):
- return True
- # site pis can update
- if SitePrivilege.objects.filter(
- user=user, site=self.site, role__role__in=['admin', 'pi']):
- return True
-
- return False
+ return user.can_update_slice(self)
+
@staticmethod
def select_by_user(user):
@@ -142,7 +128,7 @@
def __unicode__(self): return u'%s %s %s' % (self.slice, self.user, self.role)
def can_update(self, user):
- return self.slice.can_update(user)
+ return user.can_update_slice(self.slice)
@staticmethod
def select_by_user(user):
diff --git a/planetstack/core/models/slicetag.py b/planetstack/core/models/slicetag.py
index ea1d026..246e6fd 100644
--- a/planetstack/core/models/slicetag.py
+++ b/planetstack/core/models/slicetag.py
@@ -11,7 +11,7 @@
value = models.CharField(help_text="The value of this tag", max_length=1024)
def can_update(self, user):
- return self.slice.can_update(user)
+ return user.can_update_slice(self.slice)
@staticmethod
def select_by_user(user):
diff --git a/planetstack/core/models/sliver.py b/planetstack/core/models/sliver.py
index 3804dba..62e487b 100644
--- a/planetstack/core/models/sliver.py
+++ b/planetstack/core/models/sliver.py
@@ -120,7 +120,7 @@
super(Sliver, self).save(*args, **kwds)
def can_update(self, user):
- return self.slice.can_update(user)
+ return user.can_update_slice(self.slice)
def all_ips(self):
ips={}
diff --git a/planetstack/core/models/tag.py b/planetstack/core/models/tag.py
index 7818c32..b1e510a 100644
--- a/planetstack/core/models/tag.py
+++ b/planetstack/core/models/tag.py
@@ -24,9 +24,7 @@
def can_update(self, user):
- if user.is_admin:
- return True
- return False
+ return user.can_update_root()
@staticmethod
def select_by_user(user):
diff --git a/planetstack/core/models/user.py b/planetstack/core/models/user.py
index 60fd290..250b546 100644
--- a/planetstack/core/models/user.py
+++ b/planetstack/core/models/user.py
@@ -316,6 +316,52 @@
return False
+ def can_update_root(self):
+ """
+ Return True if user has root (global) write access.
+ """
+ if self.is_readonly:
+ return False
+ if self.is_admin:
+ return True
+
+ return False
+
+ def can_update_deployment(self, deployment):
+ from core.models.site import DeploymentPrivilege
+ if self.can_update_root():
+ return True
+
+ if DeploymentPrivilege.objects.filter(
+ deployment=deployment,
+ user=self,
+ role__role__in=['admin', 'Admin']):
+ return True
+ return False
+
+ def can_update_site(self, site, allow=[]):
+ from core.models.site import SitePrivilege
+ if self.can_update_root():
+ return True
+ if SitePrivilege.objects.filter(
+ site=site, user=self, role__role__in=['admin', 'Admin']+allow):
+ return True
+ return False
+
+ def can_update_slice(self, slice):
+ from core.models.slice import SlicePrivilege
+ if self.can_update_root():
+ return True
+ if self == slice.creator:
+ return True
+ if self.can_update_site(slice.site, allow=['pi']):
+ return True
+
+ if SlicePrivilege.objects.filter(
+ slice=slice, user=self, role__role__in=['admin', 'Admin']):
+ return True
+ return False
+
@staticmethod
def select_by_user(user):
if user.is_admin: