acl support for deployments
diff --git a/planetstack/core/models/site.py b/planetstack/core/models/site.py
index e675afb..1301ebf 100644
--- a/planetstack/core/models/site.py
+++ b/planetstack/core/models/site.py
@@ -1,10 +1,10 @@
import os
from django.db import models
from core.models import PlCoreBase
-#from core.models import Deployment
from core.models import Tag
from django.contrib.contenttypes import generic
from geoposition.fields import GeopositionField
+from core.acl import AccessControlList
class Site(PlCoreBase):
"""
@@ -83,7 +83,42 @@
class Deployment(PlCoreBase):
name = models.CharField(max_length=200, unique=True, help_text="Name of the Deployment")
- #sites = models.ManyToManyField('Site', through='SiteDeployments', blank=True)
+
+ # smbaker: the default of 'allow all' is intended for evolutions of existing
+ # deployments. When new deployments are created via the GUI, they are
+ # given a default of 'allow site <site_of_creator>'
+ accessControl = models.TextField(max_length=200, blank=False, null=False, default="allow all",
+ help_text="Access control list that specifies which sites/users may use nodes in this deployment")
+
+ def get_acl(self):
+ return AccessControlList(self.accessControl)
+
+ def test_acl(self, slice=None, user=None):
+ potential_users=[]
+
+ if user:
+ potential_users.append(user)
+
+ if slice:
+ potential_users.append(slice.creator)
+ for priv in slice.slice_privileges.all():
+ if priv.user not in potential_users:
+ potential_users.append(priv.user)
+
+ acl = self.get_acl()
+ for user in potential_users:
+ if acl.test(user) == "allow":
+ return True
+
+ return False
+
+ def select_by_acl(self, user):
+ acl = self.get_acl()
+ result = []
+ for deployment in Deployment.objects.all():
+ if acl.test(user):
+ result.append(deployment)
+ return result
def __unicode__(self): return u'%s' % (self.name)
diff --git a/planetstack/core/models/sliver.py b/planetstack/core/models/sliver.py
index 6351bd1..0f37bc9 100644
--- a/planetstack/core/models/sliver.py
+++ b/planetstack/core/models/sliver.py
@@ -37,13 +37,16 @@
else:
return u'unsaved-sliver'
-
def save(self, *args, **kwds):
if not self.name:
self.name = self.slice.name
if not self.creator and hasattr(self, 'caller'):
self.creator = self.caller
self.deploymentNetwork = self.node.deployment
+
+ if not self.deploymentNetwork.test_acl(slice=self.slice):
+ raise exceptions.ValidationError("Deployment %s's ACL does not allow any of this slice %s's users" % (self.deploymentNetwork.name, self.slice.name))
+
super(Sliver, self).save(*args, **kwds)
def can_update(self, user):