Signed-off-by: Scott Seago <sseago(a)redhat.com&gt; --- .../controllers/resources/instances_controller.rb | 4 +- src/app/models/permission.rb | 3 +- src/app/services/registration_service.rb | 15 ++++-- .../20110322120000_add_template_creator_role.rb | 47 ++++++++++++++++++++ src/db/seeds.rb | 12 ++++- src/features/permission.feature | 12 +++++- src/lib/tasks/dc_tasks.rake | 13 ++++-- src/spec/services/registration_service_spec.rb | 6 ++- 8 files changed, 95 insertions(+), 17 deletions(-) create mode 100644 src/db/migrate/20110322120000_add_template_creator_role.rb diff --git a/src/app/controllers/resources/instances_controller.rb b/src/app/controllers/resources/instances_controller.rb index 234fe6b..f857aa7 100644 --- a/src/app/controllers/resources/instances_controller.rb +++ b/src/app/controllers/resources/instances_controller.rb @@ -168,7 +168,7 @@ class Resources::InstancesController < ApplicationController end def init_new_instance_attrs - @pools = Pool.list_for_user(@current_user, Privilege::MODIFY, :target_type => Instance) + @pools = Pool.list_for_user(@current_user, Privilege::CREATE, :target_type => Instance) @realms = FrontendRealm.all @hardware_profiles = HardwareProfile.all( :include => :architecture, @@ -189,7 +189,7 @@ class Resources::InstancesController < ApplicationController {:name => 'CREATED BY', :sort_attr => 'users.last_name'}, ] - @pools = Pool.list_for_user(@current_user, Privilege::MODIFY, :target_type => Instance) + @pools = Pool.list_for_user(@current_user, Privilege::CREATE, :target_type => Instance) end def load_instances diff --git a/src/app/models/permission.rb b/src/app/models/permission.rb index dc10166..34e37bd 100644 --- a/src/app/models/permission.rb +++ b/src/app/models/permission.rb @@ -40,7 +40,8 @@ class Permission < ActiveRecord::Base validates_presence_of :user_id validates_uniqueness_of :user_id, :scope => [:permission_object_id, - :permission_object_type] + :permission_object_type, + :role_id] belongs_to :permission_object, :polymorphic => true # type-specific associations diff --git a/src/app/services/registration_service.rb b/src/app/services/registration_service.rb index 046fdcd..277a502 100644 --- a/src/app/services/registration_service.rb +++ b/src/app/services/registration_service.rb @@ -21,11 +21,16 @@ class RegistrationService end @user.save! - - self_service_default_role = MetadataObject.lookup("self_service_default_role") - self_service_default_pool = MetadataObject.lookup("self_service_default_pool") - Permission.create!(:user => @user, :role => self_service_default_role, - :permission_object => self_service_default_pool) + # perm list in the format: + # "[resource1_key, resource1_role], [resource2_key, resource2_role], ..." + MetadataObject.lookup("self_service_perms_list").split(/[\]],? ?|[\[]/). + select {|x| !x.empty? }.each do |x| + obj_key, role_key = x.split(/, ?/) + default_obj = MetadataObject.lookup(obj_key) + default_role = MetadataObject.lookup(role_key) + Permission.create!(:user => @user, :role => default_role, + :permission_object => default_obj) + end return true rescue ActiveRecord::RecordInvalid => e Rails.logger.error e.message diff --git a/src/db/migrate/20110322120000_add_template_creator_role.rb b/src/db/migrate/20110322120000_add_template_creator_role.rb new file mode 100644 index 0000000..301f048 --- /dev/null +++ b/src/db/migrate/20110322120000_add_template_creator_role.rb @@ -0,0 +1,47 @@ +# +# Copyright (C) 2011 Red Hat, Inc. +# Written by Scott Seago <sseago(a)redhat.com&gt; +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301, USA. A copy of the GNU General Public License is +# also available at http://www.gnu.org/copyleft/gpl.html. + +class AddTemplateCreatorRole < ActiveRecord::Migration + + + def self.up + unless Role.all.empty? + Role.transaction do + role_name = "Template Creator" + role = Role.find_or_initialize_by_name(role_name) + role.update_attributes({:name => role_name, :scope => BasePermissionObject.name, + :assign_to_owner => false}) + role.save! + ["view","use","create"].each do |action| + Privilege.create!(:role => role, :target_type => Template.name, + :action => action) + end + end + settings = {"self_service_default_template_obj" => BasePermissionObject.general_permission_scope, + "self_service_default_template_role" => Role.find_by_name("Template Creator"), + "self_service_perms_list" => "[self_service_default_pool,self_service_default_role], [self_service_default_template_obj,self_service_default_template_role]"} + settings.each_pair do |key, value| + MetadataObject.set(key, value) + end + end + end + + def self.down + end +end diff --git a/src/db/seeds.rb b/src/db/seeds.rb index cf23e60..1bfb969 100644 --- a/src/db/seeds.rb +++ b/src/db/seeds.rb @@ -57,6 +57,7 @@ roles = Quota => [VIEW, MOD], PoolFamily => [VIEW, MOD,CRE,VPRM,GPRM]}], "Template Administrator" => [false, {Template => [VIEW,USE,MOD,CRE,VPRM,GPRM]}], + "Template Creator" => [false, {Template => [VIEW,USE, CRE]}], "Administrator" => [false, {Provider => [VIEW, MOD,CRE,VPRM,GPRM], ProviderAccount => [VIEW,USE,MOD,CRE,VPRM,GPRM], HardwareProfile => [ MOD,CRE,VPRM,GPRM], @@ -92,14 +93,21 @@ BasePermissionObject.create!(:name => "general_permission_scope") # Set meta objects MetadataObject.set("default_pool_family", PoolFamily.find_by_name('default')) -default_pool = Pool.find_by_name("default_pool") default_quota = Quota.create +default_pool = Pool.find_by_name("default_pool") default_role = Role.find_by_name("Pool User") +default_template_role = Role.find_by_name("Template Creator") + settings = {"allow_self_service_logins" => "true", "self_service_default_quota" => default_quota, "self_service_default_pool" => default_pool, - "self_service_default_role" => default_role} + "self_service_default_role" => default_role, + "self_service_default_template_obj" => BasePermissionObject.general_permission_scope, + "self_service_default_template_role" => default_template_role, + # perm list in the format: + # "[resource1_key, resource1_role], [resource2_key, resource2_role], ..." + "self_service_perms_list" => "[self_service_default_pool,self_service_default_role], [self_service_default_template_obj,self_service_default_template_role]"} settings.each_pair do |key, value| MetadataObject.set(key, value) end diff --git a/src/features/permission.feature b/src/features/permission.feature index 5267da4..ee2d736 100644 --- a/src/features/permission.feature +++ b/src/features/permission.feature @@ -21,12 +21,22 @@ Feature: Manage Permissions And I should see "Permission record added" And I should see "testuser" - Scenario: Create a permission which already exists + Scenario: Create a second permission on a resource Given there is a permission for the user "testuser" And I am on the new permission page When I select "testuser" from "permission[user_id]" And I select "Provider Creator" from "permission[role_id]" And I press "Save" + Then I should be on the permissions page + And I should see "Permission record added" + And I should see "testuser" + + Scenario: Attempt to duplicate a permission + Given there is a permission for the user "testuser" + And I am on the new permission page + When I select "testuser" from "permission[user_id]" + And I select "Administrator" from "permission[role_id]" + And I press "Save" Then I should see "new Permission" Scenario: Delete a permission diff --git a/src/lib/tasks/dc_tasks.rake b/src/lib/tasks/dc_tasks.rake index f7e853d..8255d32 100644 --- a/src/lib/tasks/dc_tasks.rake +++ b/src/lib/tasks/dc_tasks.rake @@ -46,10 +46,15 @@ namespace :dc do puts "Permission already granted for user #{args.login}" exit(1) end - - user.permissions << Permission.new(:role => Role.find_by_name('Administrator'), - :permission_object => BasePermissionObject.general_permission_scope) - puts "Granting administrator privileges for #{args.login}..." + permission = Permission.new(:role => Role.find_by_name('Administrator'), + :permission_object => BasePermissionObject.general_permission_scope, + :user => user) + if permission.save + puts "Granting administrator privileges for #{args.login}..." + else + puts "Granting administrator privileges for #{args.login} failed #{permission.errors.to_xml}" + exit(1) + end end diff --git a/src/spec/services/registration_service_spec.rb b/src/spec/services/registration_service_spec.rb index 810fe6e..ea38412 100644 --- a/src/spec/services/registration_service_spec.rb +++ b/src/spec/services/registration_service_spec.rb @@ -17,7 +17,7 @@ describe RegistrationService do end end - it "should register a user with default pool/quota/role when default settings set" do + it "should register a user with default pool/quota/role/template perms when default settings set" do @user = Factory :user @pool = MetadataObject.lookup("self_service_default_pool") @role = MetadataObject.lookup("self_service_default_role") @@ -33,6 +33,8 @@ describe RegistrationService do @user.quota.maximum_running_instances.should == @quota.maximum_running_instances @user.quota.maximum_total_instances.should == @quota.maximum_total_instances + BasePermissionObject.general_permission_scope.has_privilege(@user,Privilege::CREATE, Template).should == true + BasePermissionObject.general_permission_scope.has_privilege(@user,Privilege::USE, Template).should == true end end @@ -51,7 +53,7 @@ describe RegistrationService do lambda do lambda do registration_process.save.should be_true - end.should change(Permission, :count).by(1) + end.should change(Permission, :count).by(2) end.should change(User, :count).by(1) end.should change(Quota, :count).by(1)