Merge branch 'bug-3659'

2025-03-25 02:50:08 +03:00 · 2015-03-08 21:39:13 +01:00 · 2015-03-08 21:39:13 +01:00 · 51c78c6e45
commit 51c78c6e45
parent 83afc57663 0cdb1bba32
4 changed files with 42 additions and 20 deletions
--- a/include/RequestManagerAllocate.h
+++ b/include/RequestManagerAllocate.h
@ -251,6 +251,10 @@ public:
                      int& id,
                      string& error_str,
                      RequestAttributes& att);
+
+    bool allocate_authorization(Template *          obj_template,
+                                RequestAttributes&  att,
+                                PoolObjectAuth *    cluster_perms);
 };

 /* ------------------------------------------------------------------------- */
--- a/src/rm/RequestManagerAllocate.cc
+++ b/src/rm/RequestManagerAllocate.cc
@ -525,6 +525,42 @@ int TemplateAllocate::pool_allocate(
 /* -------------------------------------------------------------------------- */
 /* -------------------------------------------------------------------------- */

+bool TemplateAllocate::allocate_authorization(
+        Template *          tmpl,
+        RequestAttributes&  att,
+        PoolObjectAuth *    cluster_perms)
+{
+    if ( att.uid == UserPool::ONEADMIN_ID || att.gid == GroupPool::ONEADMIN_ID )
+    {
+        return true;
+    }
+
+    AuthRequest ar(att.uid, att.group_ids);
+    string      t64;
+    string      aname;
+
+    VirtualMachineTemplate * ttmpl = static_cast<VirtualMachineTemplate *>(tmpl);
+
+    // ------------ Check template for restricted attributes -------------------
+    if (ttmpl->check(aname))
+    {
+        ostringstream oss;
+
+        oss << "VM Template includes a restricted attribute " << aname;
+
+        failure_response(AUTHORIZATION,
+                authorization_error(oss.str(), att),
+                att);
+
+        return false;
+    }
+
+    return true;
+}
+
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+
 int HostAllocate::pool_allocate(
        xmlrpc_c::paramList const&  paramList,
        Template *                  tmpl,
--- a/src/rm/RequestManagerUpdateTemplate.cc
+++ b/src/rm/RequestManagerUpdateTemplate.cc
@ -95,8 +95,8 @@ void RequestManagerUpdateTemplate::request_execute(

    object = pool->get(oid,true);

-    if ( object == 0 )                             
-    {                                            
+    if ( object == 0 )
+    {
        failure_response(NO_EXISTS,
                get_error(object_name(auth_object),oid),
                att);
--- a/src/rm/RequestManagerVMTemplate.cc
+++ b/src/rm/RequestManagerVMTemplate.cc
@ -79,24 +79,6 @@ void VMTemplateInstantiate::request_execute(xmlrpc_c::paramList const& paramList

    rtmpl->unlock();

-    // Check template for restricted attributes, only if owner is not oneadmin
-    if (perms.uid!=UserPool::ONEADMIN_ID && perms.gid!=GroupPool::ONEADMIN_ID)
-    {
-        if (tmpl->check(aname))
-        {
-            ostringstream oss;
-
-            oss << "VM Template includes a restricted attribute " << aname;
-
-            failure_response(AUTHORIZATION,
-                    authorization_error(oss.str(), att),
-                    att);
-
-            delete tmpl;
-            return;
-        }
-    }
-
    // Parse & merge user attributes (check if the request user is not oneadmin)
    if (!str_uattrs.empty())
    {