]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 5b5fff2)
Disallow non-admin users update net's shared attribute
authorStephen Ma <stephen.ma@hp.com>
Mon, 20 Jan 2014 15:48:28 +0000 (15:48 +0000)
committerThomas Goirand <thomas@goirand.fr>
Thu, 13 Mar 2014 07:20:12 +0000 (15:20 +0800)
Currently non-admin user cannot create a network with
shared=True. But the user can create the network and then
change the shared attribute to True.

This patch will no longer allow non-admin user to update a
network's shared value to True.

Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4
Closes-Bug: 1268823

etc/policy.json patch | blob | history
neutron/tests/unit/test_db_plugin.py patch | blob | history

diff --git a/etc/policy.json b/etc/policy.json
index d0e0222047475efce4565c0f1e173995df68012b..cd65e6b965fe324d78274aea01650012d9278996 100644 (file)
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -35,6 +35,7 @@
     "create_network:provider:segmentation_id": "rule:admin_only",
     "update_network": "rule:admin_or_owner",
     "update_network:segments": "rule:admin_only",
+    "update_network:shared": "rule:admin_only",
     "update_network:provider:network_type": "rule:admin_only",
     "update_network:provider:physical_network": "rule:admin_only",
     "update_network:provider:segmentation_id": "rule:admin_only",
diff --git a/neutron/tests/unit/test_db_plugin.py b/neutron/tests/unit/test_db_plugin.py
index 665746f9c52e1dc7dc31ca8c6122b061479a40c6..0cc4ebf4647e5f1ce1a9375f09d63b42266afa1d 100644 (file)
--- a/neutron/tests/unit/test_db_plugin.py
+++ b/neutron/tests/unit/test_db_plugin.py
@@ -1818,6 +1818,17 @@ class TestNetworksV2(NeutronDbPluginV2TestCase):
             res = self.deserialize(self.fmt, req.get_response(self.api))
             self.assertTrue(res['network']['shared'])
 
+    def test_update_network_set_shared_owner_returns_404(self):
+        with self.network(shared=False) as network:
+            net_owner = network['network']['tenant_id']
+            data = {'network': {'shared': True}}
+            req = self.new_update_request('networks',
+                                          data,
+                                          network['network']['id'])
+            req.environ['neutron.context'] = context.Context('u', net_owner)
+            res = req.get_response(self.api)
+            self.assertEqual(res.status_int, webob.exc.HTTPNotFound.code)
+
     def test_update_network_with_subnet_set_shared(self):
         with self.network(shared=False) as network:
             with self.subnet(network=network) as subnet: