On Tue, Mar 16, 2010 at 12:25:36PM -0400, Scott Seago wrote: > > Signed-off-by: Scott Seago <[email protected]> > --- > src/app/controllers/provider_controller.rb | 6 +++--- > src/app/models/privilege.rb | 13 +++++++++---- > src/db/migrate/20091008153046_create_privileges.rb | 2 +- > src/db/migrate/20091008153058_create_roles.rb | 17 +++++++++++++++-- > 4 files changed, 28 insertions(+), 10 deletions(-) > > diff --git a/src/app/controllers/provider_controller.rb > b/src/app/controllers/provider_controller.rb > index b7e10a5..53056f5 100644 > --- a/src/app/controllers/provider_controller.rb > +++ b/src/app/controllers/provider_controller.rb > @@ -52,16 +52,16 @@ class ProviderController < ApplicationController > > def accounts > @provider = Provider.find(params[:id]) > - require_privilege(Privilege::PROVIDER_VIEW, @provider) > + require_privilege(Privilege::ACCOUNT_VIEW, @provider) > end > > def new_account > @provider = Provider.find(params[:id]) > - require_privilege(Privilege::PROVIDER_VIEW, @provider) > + require_privilege(Privilege::ACCOUNT_MODIFY, @provider) > end > > def create_account > - require_privilege(Privilege::PROVIDER_MODIFY) > + require_privilege(Privilege::ACCOUNT_MODIFY) > @acct = CloudAccount.find_or_create(params[:account]) > @provider = Provider.find(params[:account][:provider_id]) > @provider.cloud_accounts << @acct > diff --git a/src/app/models/privilege.rb b/src/app/models/privilege.rb > index e314930..69f22b9 100644 > --- a/src/app/models/privilege.rb > +++ b/src/app/models/privilege.rb > @@ -43,10 +43,15 @@ class Privilege < ActiveRecord::Base > STATS_VIEW = "stats_view" # can view monitoring data for > # instances > > - # account privileges normally checked at the provider level, although > - # account-specific overrides could be a future enhancement. > + # to create(i.e. import) an account on a provider (but not added to > + # a pool) needs ACCOUNT_MODIFY on the provider. > + # to add a new provider account (i.e. import) to a pool needs > + # ACCOUNT_ADD on the pool > + # to add an existing provider account to a pool needs ACCOUNT_ADD > + # on the pool _and_ ACCOUNT_ADD on the account. > ACCOUNT_MODIFY = "account_modify" # can create or modify cloud > accounts > - ACCOUNT_VIEW = "account_view" # can create or modify cloud > accounts > + ACCOUNT_VIEW = "account_view" # can view cloud accounts > + ACCOUNT_ADD = "account_add" # can add an account to a pool > > # pool privileges normally checked at the provider level > # (and at the account level for choosing which accounts are visible on the > @@ -76,7 +81,7 @@ class Privilege < ActiveRecord::Base > FULL_PRIVILEGE_LIST = [PERM_SET, PERM_VIEW, > INSTANCE_MODIFY, INSTANCE_CONTROL, INSTANCE_VIEW, > STATS_VIEW, > - ACCOUNT_MODIFY, ACCOUNT_VIEW, > + ACCOUNT_MODIFY, ACCOUNT_ADD, ACCOUNT_VIEW, > POOL_MODIFY, POOL_VIEW, > QUOTA_MODIFY, QUOTA_VIEW, > PROVIDER_MODIFY, PROVIDER_VIEW, > diff --git a/src/db/migrate/20091008153046_create_privileges.rb > b/src/db/migrate/20091008153046_create_privileges.rb > index 74932b0..12d94c6 100644 > --- a/src/db/migrate/20091008153046_create_privileges.rb > +++ b/src/db/migrate/20091008153046_create_privileges.rb > @@ -30,7 +30,7 @@ class CreatePrivileges < ActiveRecord::Migration > privileges = ["set_perms", "view_perms", > "instance_modify", "instance_control", "instance_view", > "stats_view", > - "account_modify", "account_view", > + "account_modify", "account_add", "account_view", > "pool_modify", "pool_view", > "quota_modify", "quota_view", > "provider_modify", "provider_view", > diff --git a/src/db/migrate/20091008153058_create_roles.rb > b/src/db/migrate/20091008153058_create_roles.rb > index 44c360d..d7776d3 100644 > --- a/src/db/migrate/20091008153058_create_roles.rb > +++ b/src/db/migrate/20091008153058_create_roles.rb > @@ -63,7 +63,7 @@ class CreateRoles < ActiveRecord::Migration > "quota_view", > "set_perms", > "view_perms", > - "account_modify"]}, > + "account_add"]}, > "Pool Creator" => > {:role_scope => "Provider", > :privileges => ["provider_view", > @@ -78,19 +78,31 @@ class CreateRoles < ActiveRecord::Migration > "quota_view", > "quota_modify", > "account_view", > + "account_add", > "account_modify", > "set_perms", > "view_perms"]}, > + "Provider Administrator" => > + {:role_scope => "Provider", > + :privileges => ["provider_modify", > + "provider_view", > + "account_modify", > + "account_view"]}, > "Account Administrator" => > {:role_scope => "CloudAccount", > :privileges => ["set_perms", > "view_perms", > "account_view", > + "account_add", > "account_modify"]}, > "Account User" => > {:role_scope => "CloudAccount", > + :privileges => ["account_view", > + "account_add"]}, > + "Account Viewer" => > + {:role_scope => "CloudAccount", > :privileges => ["account_view"]}, > - "Provider Administrator" => > + "Provider Creator" => > {:role_scope => "BasePortalObject", > :privileges => ["provider_modify", > "provider_view"]}, > @@ -99,6 +111,7 @@ class CreateRoles < ActiveRecord::Migration > :privileges => ["provider_modify", > "provider_view", > "account_modify", > + "account_add", > "account_view", > "user_modify", > "user_view", > -- > 1.6.2.5 > > _______________________________________________ > deltacloud-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/deltacloud-devel
ACK to this. Please push! Steve. _______________________________________________ deltacloud-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/deltacloud-devel
