feature #1697: Added CREATE perms for instantiate. Group user template code.

2025-03-21 14:50:08 +03:00 · 2013-02-17 00:55:31 +01:00 · 2013-02-17 00:55:31 +01:00 · 415be14bcb
commit 415be14bcb
parent 83b5b9d116
1 changed files with 36 additions and 32 deletions
--- a/src/rm/RequestManagerVMTemplate.cc
+++ b/src/rm/RequestManagerVMTemplate.cc
@ -101,19 +101,8 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList

    rtmpl->unlock();

-    // Parse user supplied attributes
-    rc = uattrs.parse_str_or_xml(str_uattrs, error_str);
-
-    if ( rc != 0 )
-    {
-        failure_response(INTERNAL, error_str, att);
-        delete tmpl;
-        return;
-    }
-
    // Check template for restricted attributes, only if owner is not oneadmin
-
-    if ( perms.uid != UserPool::ONEADMIN_ID && perms.gid != GroupPool::ONEADMIN_ID )
+    if (perms.uid!=UserPool::ONEADMIN_ID && perms.gid!=GroupPool::ONEADMIN_ID)
    {
        if (tmpl->check(aname))
        {
@ -130,33 +119,43 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList
        }
    }

-    // Check user template for restricted attributes, but only if the Request user
-    // is not oneadmin
-    if ( att.uid != UserPool::ONEADMIN_ID && att.gid != GroupPool::ONEADMIN_ID )
+    // Parse & merge user attributes (check if the request user is not oneadmin)
+    if (!str_uattrs.empty())
    {
-        if (uattrs.check(aname))
+        rc = uattrs.parse_str_or_xml(str_uattrs, error_str);
+
+        if ( rc != 0 )
        {
-            ostringstream oss;
-
-            oss << "User Template includes a restricted attribute " << aname;
-
-            failure_response(AUTHORIZATION,
-                    authorization_error(oss.str(), att),
-                    att);
-
+            failure_response(INTERNAL, error_str, att);
            delete tmpl;
            return;
        }
-    }

-    // Merge user attributes into template
-    rc = tmpl->merge(&uattrs, error_str);
+        if (att.uid!=UserPool::ONEADMIN_ID && att.gid!=GroupPool::ONEADMIN_ID)
+        {
+            if (uattrs.check(aname))
+            {
+                ostringstream oss;

-    if ( rc != 0 )
-    {
-        failure_response(INTERNAL, error_str, att);
-        delete tmpl;
-        return;
+                oss << "User Template includes a restricted attribute "<< aname;
+
+                failure_response(AUTHORIZATION,
+                        authorization_error(oss.str(), att),
+                        att);
+
+                delete tmpl;
+                return;
+            }
+        }
+
+        rc = tmpl->merge(&uattrs, error_str);
+
+        if ( rc != 0 )
+        {
+            failure_response(INTERNAL, error_str, att);
+            delete tmpl;
+            return;
+        }
    }

    /* ---------------------------------------------------------------------- */
@ -182,6 +181,11 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList

        ar.add_auth(auth_op, perms); //USE TEMPLATE

+        if (!str_uattrs.empty())
+        {
+            ar.add_auth(AuthRequest::CREATE, perms); //CREATE TEMPLATE
+        }
+
        VirtualMachine::set_auth_request(att.uid, ar, tmpl);

        if (UserPool::authorize(ar) == -1)