Commit ef076c85 authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Left this out of previous commit:

1. Allow local admins to snapshot system images.

2. Add a local user accesscheck in ImageInfo().
parent a4ecb249
......@@ -3216,14 +3216,19 @@ sub CreateImage($)
}
#
# On this path, we do not allow system images to be shadowed.
# We define system images as those in the emulab-ops project.
#
if (OSImage->LookupByName($imagename)) {
# On this path, we do not allow system images to be shadowed by mere
# users. We define system images as those in the emulab-ops project.
# Note the admin test; this just says they are an administrator, not
# that they are operating in withadminprivs context. Need a credential
# to provide that, maybe later.
#
if (OSImage->LookupByName($imagename) &&
!($user->IsLocal() && $user->emulab_user()->admin())) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Not allowed to shadow system images; ".
"use a different name for your image");
}
# See if it already exists and check ownership permission.
my $image = OSImage->Lookup($experiment->pid(), $imagename);
if (defined($image)) {
......@@ -3736,7 +3741,10 @@ sub ImageInfo($)
(defined($creator_urn) &&
($creator_urn eq $user->urn() ||
$creator_urn eq $ENV{'REALGENIURN'})) ||
GeniHRN::SameDomain($project->nonlocal_id(), $authority->urn()))) {
GeniHRN::SameDomain($project->nonlocal_id(), $authority->urn()) ||
($user->IsLocal() &&
$image->AccessCheck($user->emulab_user(),
EmulabConstants::TB_IMAGEID_ACCESS())))) {
return GeniResponse->Create(GENIRESPONSE_FORBIDDEN, undef,
"Not enough permission to access image");
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment