Merge branch 'bug-834'

2025-03-22 18:50:08 +03:00 · 2012-04-20 11:45:17 +02:00 · 2012-04-20 11:45:17 +02:00 · 0680e537ca
commit 0680e537ca
parent c73248643d f747332367
4 changed files with 81 additions and 10 deletions
--- a/include/AclManager.h
+++ b/include/AclManager.h
@ -107,6 +107,14 @@ public:
     */
    void del_gid_rules(int gid);

+    /**
+     * Deletes all rules that apply to this resource
+     *
+     * @param oid Id of the deleted object
+     * @param obj_type Object type
+     */
+    void del_resource_rules(int oid, PoolObjectSQL::ObjectType obj_type);
+
    /**
     * Searches what resources of type obj_type the ACL rules set allows
     * the given user to perform the operation.
@ -220,6 +228,16 @@ private:
     */
    void del_user_matching_rules(long long user_req);

+    /**
+     * Deletes all rules that match the resource mask
+     *
+     *    @param resource_req 64 bit request, ob. type and group id
+     *    @param resource_mask Mask with ob. type and group flags
+     */
+    void del_resource_matching_rules(
+            long long resource_req,
+            long long resource_mask);
+
    // ----------------------------------------
    // Mutex synchronization
    // ----------------------------------------
--- a/include/RequestManagerDelete.h
+++ b/include/RequestManagerDelete.h
@ -38,6 +38,7 @@ protected:

        Nebula& nd  = Nebula::instance();
        clpool      = nd.get_clpool();
+        aclm        = nd.get_aclm();
    };

    ~RequestManagerDelete(){};
@ -64,8 +65,9 @@ protected:
        return -1;
    };

-private:
+protected:
    ClusterPool *   clpool;
+    AclManager *    aclm;
 };


@ -180,7 +182,6 @@ public:
    {    
        Nebula& nd = Nebula::instance();
        pool       = nd.get_gpool();
-        aclm       = nd.get_aclm();

        auth_object = PoolObjectSQL::GROUP;
        auth_op     = AuthRequest::ADMIN;
@ -190,10 +191,6 @@ public:

    /* -------------------------------------------------------------------- */

-    AclManager * aclm;
-
-    /* -------------------------------------------------------------------- */
-
    int drop(int oid, PoolObjectSQL * object, string& error_msg);
 };

@ -209,7 +206,6 @@ public:
        Nebula& nd  = Nebula::instance();
        pool        = nd.get_upool();
        gpool       = nd.get_gpool();
-        aclm        = nd.get_aclm();

        auth_object = PoolObjectSQL::USER;
        auth_op     = AuthRequest::ADMIN;
@ -220,7 +216,6 @@ public:
    /* -------------------------------------------------------------------- */

    GroupPool *  gpool;
-    AclManager * aclm;

    /* -------------------------------------------------------------------- */

--- a/src/acl/AclManager.cc
+++ b/src/acl/AclManager.cc
@ -549,6 +549,8 @@ void AclManager::del_uid_rules(int uid)
 {
    long long user_req = AclRule::INDIVIDUAL_ID | uid;

+    // Delete rules that match
+    // #uid  __/__  __
    del_user_matching_rules(user_req);
 }

@ -557,9 +559,33 @@ void AclManager::del_uid_rules(int uid)

 void AclManager::del_gid_rules(int gid)
 {
-    long long user_req = AclRule::GROUP_ID | gid;
+    long long request = AclRule::GROUP_ID | gid;
+    long long resource_gid_mask = AclRule::GROUP_ID |
+                                  0x00000000FFFFFFFFLL;

-    del_user_matching_rules(user_req);
+    // Delete rules that match
+    // @gid  __/__  __
+    del_user_matching_rules(request);
+
+    // __  __/@gid  __
+    del_resource_matching_rules(request, resource_gid_mask);
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
+void AclManager::del_resource_rules(int oid, PoolObjectSQL::ObjectType obj_type)
+{
+    long long request = obj_type |
+                        AclRule::INDIVIDUAL_ID |
+                        oid;
+
+    long long mask = 0xFFFFFFFFFFFFFFFFLL;
+
+    // Delete rules that are an exact match, i.e. for oid=7 and obj_type=IMAGE,
+    // this rule applies, but can't be deleted:
+    // __ IMAGE+TEMPLATE/#7 __
+    del_resource_matching_rules(request, mask);
 }

 /* -------------------------------------------------------------------------- */
@ -595,6 +621,36 @@ void AclManager::del_user_matching_rules(long long user_req)
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */

+void AclManager::del_resource_matching_rules(long long resource_req,
+                                             long long resource_mask)
+{
+    multimap<long long, AclRule *>::iterator        it;
+
+    vector<int>             oids;
+    vector<int>::iterator   oid_it;
+    string                  error_str;
+
+    lock();
+
+    for ( it = acl_rules.begin(); it != acl_rules.end(); it++ )
+    {
+        if ( ( it->second->resource & resource_mask ) == resource_req )
+        {
+            oids.push_back(it->second->oid);
+        }
+    }
+
+    unlock();
+
+    for ( oid_it = oids.begin() ; oid_it < oids.end(); oid_it++ )
+    {
+        del_rule(*oid_it, error_str);
+    }
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
 void AclManager::reverse_search(int                       uid,
                                int                       gid,
                                PoolObjectSQL::ObjectType obj_type,
--- a/src/rm/RequestManagerDelete.cc
+++ b/src/rm/RequestManagerDelete.cc
@ -96,6 +96,8 @@ void RequestManagerDelete::request_execute(xmlrpc_c::paramList const& paramList,
        return;
    }

+    aclm->del_resource_rules(oid, auth_object);
+
    success_response(oid, att);

    return;