Signed-off-by: Scott Seago <sseago(a)redhat.com>
---
.../controllers/resources/instances_controller.rb | 4 +-
src/app/models/permission.rb | 3 +-
src/app/services/registration_service.rb | 15 ++++--
.../20110322120000_add_template_creator_role.rb | 47 ++++++++++++++++++++
src/db/seeds.rb | 12 ++++-
src/features/permission.feature | 12 +++++-
src/lib/tasks/dc_tasks.rake | 13 ++++--
src/spec/services/registration_service_spec.rb | 6 ++-
8 files changed, 95 insertions(+), 17 deletions(-)
create mode 100644 src/db/migrate/20110322120000_add_template_creator_role.rb
diff --git a/src/app/controllers/resources/instances_controller.rb
b/src/app/controllers/resources/instances_controller.rb
index 234fe6b..f857aa7 100644
--- a/src/app/controllers/resources/instances_controller.rb
+++ b/src/app/controllers/resources/instances_controller.rb
@@ -168,7 +168,7 @@ class Resources::InstancesController < ApplicationController
end
def init_new_instance_attrs
- @pools = Pool.list_for_user(@current_user, Privilege::MODIFY, :target_type =>
Instance)
+ @pools = Pool.list_for_user(@current_user, Privilege::CREATE, :target_type =>
Instance)
@realms = FrontendRealm.all
@hardware_profiles = HardwareProfile.all(
:include => :architecture,
@@ -189,7 +189,7 @@ class Resources::InstancesController < ApplicationController
{:name => 'CREATED BY', :sort_attr => 'users.last_name'},
]
- @pools = Pool.list_for_user(@current_user, Privilege::MODIFY, :target_type =>
Instance)
+ @pools = Pool.list_for_user(@current_user, Privilege::CREATE, :target_type =>
Instance)
end
def load_instances
diff --git a/src/app/models/permission.rb b/src/app/models/permission.rb
index dc10166..34e37bd 100644
--- a/src/app/models/permission.rb
+++ b/src/app/models/permission.rb
@@ -40,7 +40,8 @@ class Permission < ActiveRecord::Base
validates_presence_of :user_id
validates_uniqueness_of :user_id, :scope => [:permission_object_id,
- :permission_object_type]
+ :permission_object_type,
+ :role_id]
belongs_to :permission_object, :polymorphic => true
# type-specific associations
diff --git a/src/app/services/registration_service.rb
b/src/app/services/registration_service.rb
index 046fdcd..277a502 100644
--- a/src/app/services/registration_service.rb
+++ b/src/app/services/registration_service.rb
@@ -21,11 +21,16 @@ class RegistrationService
end
@user.save!
-
- self_service_default_role =
MetadataObject.lookup("self_service_default_role")
- self_service_default_pool =
MetadataObject.lookup("self_service_default_pool")
- Permission.create!(:user => @user, :role => self_service_default_role,
- :permission_object => self_service_default_pool)
+ # perm list in the format:
+ # "[resource1_key, resource1_role], [resource2_key, resource2_role],
..."
+ MetadataObject.lookup("self_service_perms_list").split(/[\]],?
?|[\[]/).
+ select {|x| !x.empty? }.each do |x|
+ obj_key, role_key = x.split(/, ?/)
+ default_obj = MetadataObject.lookup(obj_key)
+ default_role = MetadataObject.lookup(role_key)
+ Permission.create!(:user => @user, :role => default_role,
+ :permission_object => default_obj)
+ end
return true
rescue ActiveRecord::RecordInvalid => e
Rails.logger.error e.message
diff --git a/src/db/migrate/20110322120000_add_template_creator_role.rb
b/src/db/migrate/20110322120000_add_template_creator_role.rb
new file mode 100644
index 0000000..301f048
--- /dev/null
+++ b/src/db/migrate/20110322120000_add_template_creator_role.rb
@@ -0,0 +1,47 @@
+#
+# Copyright (C) 2011 Red Hat, Inc.
+# Written by Scott Seago <sseago(a)redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301, USA. A copy of the GNU General Public License is
+# also available at
http://www.gnu.org/copyleft/gpl.html.
+
+class AddTemplateCreatorRole < ActiveRecord::Migration
+
+
+ def self.up
+ unless Role.all.empty?
+ Role.transaction do
+ role_name = "Template Creator"
+ role = Role.find_or_initialize_by_name(role_name)
+ role.update_attributes({:name => role_name, :scope =>
BasePermissionObject.name,
+ :assign_to_owner => false})
+ role.save!
+ ["view","use","create"].each do |action|
+ Privilege.create!(:role => role, :target_type => Template.name,
+ :action => action)
+ end
+ end
+ settings = {"self_service_default_template_obj" =>
BasePermissionObject.general_permission_scope,
+ "self_service_default_template_role" =>
Role.find_by_name("Template Creator"),
+ "self_service_perms_list" =>
"[self_service_default_pool,self_service_default_role],
[self_service_default_template_obj,self_service_default_template_role]"}
+ settings.each_pair do |key, value|
+ MetadataObject.set(key, value)
+ end
+ end
+ end
+
+ def self.down
+ end
+end
diff --git a/src/db/seeds.rb b/src/db/seeds.rb
index cf23e60..1bfb969 100644
--- a/src/db/seeds.rb
+++ b/src/db/seeds.rb
@@ -57,6 +57,7 @@ roles =
Quota => [VIEW, MOD],
PoolFamily => [VIEW,
MOD,CRE,VPRM,GPRM]}],
"Template Administrator" => [false, {Template =>
[VIEW,USE,MOD,CRE,VPRM,GPRM]}],
+ "Template Creator" => [false, {Template => [VIEW,USE,
CRE]}],
"Administrator" => [false, {Provider => [VIEW,
MOD,CRE,VPRM,GPRM],
ProviderAccount =>
[VIEW,USE,MOD,CRE,VPRM,GPRM],
HardwareProfile => [
MOD,CRE,VPRM,GPRM],
@@ -92,14 +93,21 @@ BasePermissionObject.create!(:name =>
"general_permission_scope")
# Set meta objects
MetadataObject.set("default_pool_family",
PoolFamily.find_by_name('default'))
-default_pool = Pool.find_by_name("default_pool")
default_quota = Quota.create
+default_pool = Pool.find_by_name("default_pool")
default_role = Role.find_by_name("Pool User")
+default_template_role = Role.find_by_name("Template Creator")
+
settings = {"allow_self_service_logins" => "true",
"self_service_default_quota" => default_quota,
"self_service_default_pool" => default_pool,
- "self_service_default_role" => default_role}
+ "self_service_default_role" => default_role,
+ "self_service_default_template_obj" =>
BasePermissionObject.general_permission_scope,
+ "self_service_default_template_role" => default_template_role,
+ # perm list in the format:
+ # "[resource1_key, resource1_role], [resource2_key, resource2_role], ..."
+ "self_service_perms_list" =>
"[self_service_default_pool,self_service_default_role],
[self_service_default_template_obj,self_service_default_template_role]"}
settings.each_pair do |key, value|
MetadataObject.set(key, value)
end
diff --git a/src/features/permission.feature b/src/features/permission.feature
index 5267da4..ee2d736 100644
--- a/src/features/permission.feature
+++ b/src/features/permission.feature
@@ -21,12 +21,22 @@ Feature: Manage Permissions
And I should see "Permission record added"
And I should see "testuser"
- Scenario: Create a permission which already exists
+ Scenario: Create a second permission on a resource
Given there is a permission for the user "testuser"
And I am on the new permission page
When I select "testuser" from "permission[user_id]"
And I select "Provider Creator" from "permission[role_id]"
And I press "Save"
+ Then I should be on the permissions page
+ And I should see "Permission record added"
+ And I should see "testuser"
+
+ Scenario: Attempt to duplicate a permission
+ Given there is a permission for the user "testuser"
+ And I am on the new permission page
+ When I select "testuser" from "permission[user_id]"
+ And I select "Administrator" from "permission[role_id]"
+ And I press "Save"
Then I should see "new Permission"
Scenario: Delete a permission
diff --git a/src/lib/tasks/dc_tasks.rake b/src/lib/tasks/dc_tasks.rake
index f7e853d..8255d32 100644
--- a/src/lib/tasks/dc_tasks.rake
+++ b/src/lib/tasks/dc_tasks.rake
@@ -46,10 +46,15 @@ namespace :dc do
puts "Permission already granted for user #{args.login}"
exit(1)
end
-
- user.permissions << Permission.new(:role =>
Role.find_by_name('Administrator'),
- :permission_object =>
BasePermissionObject.general_permission_scope)
- puts "Granting administrator privileges for #{args.login}..."
+ permission = Permission.new(:role => Role.find_by_name('Administrator'),
+ :permission_object =>
BasePermissionObject.general_permission_scope,
+ :user => user)
+ if permission.save
+ puts "Granting administrator privileges for #{args.login}..."
+ else
+ puts "Granting administrator privileges for #{args.login} failed
#{permission.errors.to_xml}"
+ exit(1)
+ end
end
diff --git a/src/spec/services/registration_service_spec.rb
b/src/spec/services/registration_service_spec.rb
index 810fe6e..ea38412 100644
--- a/src/spec/services/registration_service_spec.rb
+++ b/src/spec/services/registration_service_spec.rb
@@ -17,7 +17,7 @@ describe RegistrationService do
end
end
- it "should register a user with default pool/quota/role when default settings
set" do
+ it "should register a user with default pool/quota/role/template perms when
default settings set" do
@user = Factory :user
@pool = MetadataObject.lookup("self_service_default_pool")
@role = MetadataObject.lookup("self_service_default_role")
@@ -33,6 +33,8 @@ describe RegistrationService do
@user.quota.maximum_running_instances.should == @quota.maximum_running_instances
@user.quota.maximum_total_instances.should == @quota.maximum_total_instances
+
BasePermissionObject.general_permission_scope.has_privilege(@user,Privilege::CREATE,
Template).should == true
+ BasePermissionObject.general_permission_scope.has_privilege(@user,Privilege::USE,
Template).should == true
end
end
@@ -51,7 +53,7 @@ describe RegistrationService do
lambda do
lambda do
registration_process.save.should be_true
- end.should change(Permission, :count).by(1)
+ end.should change(Permission, :count).by(2)
end.should change(User, :count).by(1)
end.should change(Quota, :count).by(1)
--
1.7.4