Feature #687: Better default rules in AuthManager, takes into account the object's owner

2025-03-23 22:50:09 +03:00 · 2011-07-01 16:10:00 +02:00 · 2011-07-01 16:10:00 +02:00 · 27288cfc0e
commit 27288cfc0e
parent 32a7699c5a
1 changed files with 19 additions and 10 deletions
--- a/src/authm/AuthManager.cc
+++ b/src/authm/AuthManager.cc
@ -74,19 +74,28 @@ void AuthRequest::add_auth(Object        ob,
    // Authorize the request for self authorization
    // -------------------------------------------------------------------------

-    if ( uid == 0 || gids.count( GroupPool::ONEADMIN_ID ) == 1 )
+    // There are some default conditions that grant permission without
+    // consulting the ACL manager
+    if (
+        // User is oneadmin, or is in the oneadmin group
+        uid == 0 ||
+        gids.count( GroupPool::ONEADMIN_ID ) == 1 ||
+
+        // User is the owner of the object, for certain operations
+        (   owner == uid &&
+            ( op == DELETE || op == USE || op == MANAGE ||
+              op == INFO   || op == INSTANTIATE )
+        ) ||
+
+        // Object is public and user is in its group, for certain operations
+        (   pub && ( gids.count( ob_gid ) == 1 ) &&
+            (op == USE || op == INSTANTIATE || op == INFO ) &&
+            (ob == NET || ob == IMAGE || ob == TEMPLATE)
+        )
+    )
    {
        auth = true;
    }
-    else if (   pub && ( gids.count( ob_gid ) == 1 ) &&
-                (op == USE || op == INSTANTIATE || op == INFO ) &&
-                (ob == NET || ob == IMAGE || ob == TEMPLATE)
-            )
-    {
-        // Users are authorized to use or see information of NET, IMAGE, and
-        // TEMPLATE objects in their group
-        auth = true;
-    }
    else
    {
        Nebula&     nd   = Nebula::instance();