Feature #2736: Default group ACL allows to create DOCUMENTs

This way we can remove the default acl that allowed everybody to create them, and let the admin decide when a new group is defined.
2025-03-22 18:50:08 +03:00 · 2014-02-19 18:42:28 +01:00 · 2014-02-19 18:42:28 +01:00 · 7e824a39a2
commit 7e824a39a2
parent 73bdfbe632
2 changed files with 3 additions and 11 deletions
--- a/src/acl/AclManager.cc
+++ b/src/acl/AclManager.cc
@ -83,22 +83,14 @@ AclManager::AclManager(
        string error_str;

        // Users in group USERS can create standard resources
-        // @1 VM+NET+IMAGE+TEMPLATE/* CREATE #<local-zone>
+        // @1 VM+NET+IMAGE+TEMPLATE+DOCUMENT/* CREATE #<local-zone>
        add_rule(AclRule::GROUP_ID |
                    1,
                 AclRule::ALL_ID |
                    PoolObjectSQL::VM |
                    PoolObjectSQL::NET |
                    PoolObjectSQL::IMAGE |
-                    PoolObjectSQL::TEMPLATE,
-                 AuthRequest::CREATE,
-                 AclRule::INDIVIDUAL_ID |
-                     zone_id,
-                 error_str);
-
-        // * DOCUMENT/* CREATE #<local-zone>
-        add_rule(AclRule::ALL_ID,
-                 AclRule::ALL_ID |
+                    PoolObjectSQL::TEMPLATE |
                    PoolObjectSQL::DOCUMENT,
                 AuthRequest::CREATE,
                 AclRule::INDIVIDUAL_ID |
--- a/src/oca/ruby/opennebula/group.rb
+++ b/src/oca/ruby/opennebula/group.rb
@ -36,7 +36,7 @@ module OpenNebula
        SELF = -1

        # Default resource ACL's for group users (create)
-        GROUP_DEFAULT_ACLS = "VM+IMAGE+NET+TEMPLATE"
+        GROUP_DEFAULT_ACLS = "VM+IMAGE+NET+TEMPLATE+DOCUMENT"
        ALL_CLUSTERS_IN_ZONE = 10

        # Creates a Group description with just its identifier