All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 61a2e65a authored by Leigh B Stoller's avatar Leigh B Stoller

Fixes to ImageInfo and DeleteInfo wrt PROTOGENI_LOCALUSERS; images

are a pain since access is not by credential or user.
parent 405d165e
...@@ -2540,6 +2540,8 @@ sub CreateImage($) ...@@ -2540,6 +2540,8 @@ sub CreateImage($)
if ($WITHPROVENANCE) { if ($WITHPROVENANCE) {
$image = $image->LookupMostRecent(); $image = $image->LookupMostRecent();
} }
# Set the creator_urn, which might come from the speaksfor.
# #
# Form an image URN so the user knows how to request the new image. # Form an image URN so the user knows how to request the new image.
# #
...@@ -2687,7 +2689,7 @@ sub DeleteImage($) ...@@ -2687,7 +2689,7 @@ sub DeleteImage($)
} }
if (! ((defined($creator_urn) && $creator_urn eq $user->urn()) || if (! ((defined($creator_urn) && $creator_urn eq $user->urn()) ||
$project->nonlocal_id() eq $authority->urn())) { GeniHRN::SameDomain($project->nonlocal_id(), $authority->urn()))) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef, return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Not enough permission to delete image; wrong SA or user"); "Not enough permission to delete image; wrong SA or user");
} }
...@@ -2780,7 +2782,7 @@ sub ImageInfo($) ...@@ -2780,7 +2782,7 @@ sub ImageInfo($)
if (! ($image->global() || if (! ($image->global() ||
(defined($creator_urn) && $creator_urn eq $user->urn()) || (defined($creator_urn) && $creator_urn eq $user->urn()) ||
$project->nonlocal_id() eq $authority->urn())) { GeniHRN::SameDomain($project->nonlocal_id(), $authority->urn()))) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef, return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Not enough permission to access image"); "Not enough permission to access image");
} }
...@@ -3493,6 +3495,7 @@ sub ModifyDataset($) ...@@ -3493,6 +3495,7 @@ sub ModifyDataset($)
my $blob = {}; my $blob = {};
$blob->{'expires'} = emutil::TBDateStringGMT($lease->lease_end()); $blob->{'expires'} = emutil::TBDateStringGMT($lease->lease_end());
$blob->{'state'} = $lease->state();
return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob); return GeniResponse->Create(GENIRESPONSE_SUCCESS, $blob);
} }
......
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2009-2010 University of Utah and the Flux Group. # Copyright (c) 2009-2015 University of Utah and the Flux Group.
# #
# {{{GENIPUBLIC-LICENSE # {{{GENIPUBLIC-LICENSE
# #
...@@ -253,6 +253,19 @@ sub Authoritative($$) ...@@ -253,6 +253,19 @@ sub Authoritative($$)
return $hrn[ 0 ] eq $authority; return $hrn[ 0 ] eq $authority;
} }
sub SameDomain($$)
{
my ($a, $b) = @_;
my ($auth_a) = Parse($a);
my ($auth_b) = Parse($b);
my ($dom_a) = split(":", $auth_a);
my ($dom_b) = split(":", $auth_b);
$dom_a =~ tr/A-Z/a-z/;
$dom_b =~ tr/A-Z/a-z/;
return $dom_a eq $dom_b;
}
# Helper functions to make special cases slightly less messy: # Helper functions to make special cases slightly less messy:
# Generate an interface URN given a node and an interface ID on that node. # Generate an interface URN given a node and an interface ID on that node.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment