From 917ca4f404fa906c50bbbaa79df3cb4c8e3e7f10 Mon Sep 17 00:00:00 2001 From: Stephen Ma Date: Mon, 20 Jan 2014 15:48:28 +0000 Subject: [PATCH] Disallow non-admin users update net's shared attribute Currently non-admin user cannot create a network with shared=True. But the user can create the network and then change the shared attribute to True. This patch will no longer allow non-admin user to update a network's shared value to True. Change-Id: Id596ee399c56b9882efab97a89dbf7d14c5cf7f4 Closes-Bug: 1268823 --- etc/policy.json | 1 + neutron/tests/unit/test_db_plugin.py | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/etc/policy.json b/etc/policy.json index d0e022204..cd65e6b96 100644 --- a/etc/policy.json +++ b/etc/policy.json @@ -35,6 +35,7 @@ "create_network:provider:segmentation_id": "rule:admin_only", "update_network": "rule:admin_or_owner", "update_network:segments": "rule:admin_only", + "update_network:shared": "rule:admin_only", "update_network:provider:network_type": "rule:admin_only", "update_network:provider:physical_network": "rule:admin_only", "update_network:provider:segmentation_id": "rule:admin_only", diff --git a/neutron/tests/unit/test_db_plugin.py b/neutron/tests/unit/test_db_plugin.py index 665746f9c..0cc4ebf46 100644 --- a/neutron/tests/unit/test_db_plugin.py +++ b/neutron/tests/unit/test_db_plugin.py @@ -1818,6 +1818,17 @@ class TestNetworksV2(NeutronDbPluginV2TestCase): res = self.deserialize(self.fmt, req.get_response(self.api)) self.assertTrue(res['network']['shared']) + def test_update_network_set_shared_owner_returns_404(self): + with self.network(shared=False) as network: + net_owner = network['network']['tenant_id'] + data = {'network': {'shared': True}} + req = self.new_update_request('networks', + data, + network['network']['id']) + req.environ['neutron.context'] = context.Context('u', net_owner) + res = req.get_response(self.api) + self.assertEqual(res.status_int, webob.exc.HTTPNotFound.code) + def test_update_network_with_subnet_set_shared(self): with self.network(shared=False) as network: with self.subnet(network=network) as subnet: -- 2.45.2