On Thu, 2010-06-10 at 11:42 +0200, [email protected] wrote: > From: Jan Provaznik <[email protected]> > > image builder actions are now accessbile only for Administrators (temporary > solution until we will have image permissions) > --- > src/app/controllers/image_descriptor_controller.rb | 13 ++++++++++++- > 1 files changed, 12 insertions(+), 1 deletions(-) > > diff --git a/src/app/controllers/image_descriptor_controller.rb > b/src/app/controllers/image_descriptor_controller.rb > index 532c092..d2e37d8 100644 > --- a/src/app/controllers/image_descriptor_controller.rb > +++ b/src/app/controllers/image_descriptor_controller.rb > @@ -1,6 +1,6 @@ > class ImageDescriptorController < ApplicationController > layout :layout > - before_filter :require_user > + before_filter :require_user, :require_admin > > def layout > return "aggregator" unless ajax? > @@ -105,4 +105,15 @@ class ImageDescriptorController < ApplicationController > end > end > end > + > + private > + > + # FIXME - this is temporary solution, replace with > + # concrete permission checks in actions > + def require_admin > + unless @current_user.permissions.collect { |p| p.role }.find { |r| > r.name == "Administrator" } > + raise PermissionError.new( > + 'You have insufficient privileges to perform action.') > + end > + end > end
Ok,have to NACK this one for now. Talked to Scott about it, and it needs a bit of fixing before pushing this series. What we really need to do here is to check for IMAGE_MODIFY with require_privilege(IMAGE_MODIFY). This will check for the privilege against the BasePermission object. That privilege as well as IMAGE_VIEW should be added to the administrator role (so migration will need update as well). This should then be checked for all steps here (so probably make sense to keep it in a filter, as you have). That check should also be on the link from the dashboard portlet. This is the most invasive change to your series, so it might be simpler to rebase -i the set and move this to be your latest commit. Then you can just fix the minor changes from earlier, and resend this one on its own afterwards. Feel free to ping either of us on this if my explanation is not clear (or Scott, correct me if I misstated something above). -j _______________________________________________ deltacloud-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/deltacloud-devel
