MAAS

Merge lp:~jameinel/maas/tags-exposing-nodes into lp:~maas-committers/maas/trunk

tags-exposing-nodes
Merge into trunk

Proposed by John A Meinel on 2012-09-26

Status:	Merged
Approved by:	Martin Packman on 2012-09-26
Approved revision:	no longer in the source branch.
Merged at revision:	1077
Proposed branch:	lp:~jameinel/maas/tags-exposing-nodes
Merge into:	lp:~maas-committers/maas/trunk
Diff against target:	137 lines (+77/-4) 4 files modified src/maasserver/api.py (+1/-4) src/maasserver/models/tag.py (+18/-0) src/maasserver/tests/test_api.py (+22/-0) src/maasserver/tests/test_tag.py (+36/-0)
To merge this branch:	bzr merge lp:~jameinel/maas/tags-exposing-nodes
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Martin Packman (community)		2012-09-26	Approve on 2012-09-26
Review via email: mp+126438@code.launchpad.net

Commit message

/tag/<tagname>?op=nodes no longer exposes private nodes.

Respect that if there is a node owner, it doesn't get shown to anyone but superusers and that owner.

Description of the change

See commit message.

Revision history for this message

Martin Packman (gz) wrote on 2012-09-26:

Looks good, apart from test_get_nodes_returns_everything_for_superuser not setting `user2.is_superuser = True` which you've now fixed already.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Andres Rodriguez

Blake Rouse

Brendan Donegan

Dave Walker

Deepa

Enrique Chirivella Pérez

Fumihito YOSHIDA

John A Meinel

MAAS Committers

Mike Pontillo

james beedy

 === modified file 'src/maasserver/api.py'
 --- src/maasserver/api.py	2012-09-26 08:54:29 +0000
 +++ src/maasserver/api.py	2012-09-26 12:32:23 +0000
@@ -1303,10 +1303,7 @@
      @api_exported('POST')
      def nodes(self, request, name):
          """Get the list of nodes that have this tag."""
--        tag = Tag.objects.get_tag_or_404(name=name, user=request.user)
--        # XXX: JAM 2012-09-25 We need to filter the node set returned by the
--        #      visibility defined by the user.
--        return tag.node_set.all()
++        return Tag.objects.get_nodes(name, user=request.user)
      @classmethod
      def resource_uri(cls, tag=None):
 === modified file 'src/maasserver/models/tag.py'
 --- src/maasserver/models/tag.py	2012-09-23 14:50:34 +0000
 +++ src/maasserver/models/tag.py	2012-09-26 12:32:23 +0000
@@ -21,6 +21,7 @@
      CharField,
      Manager,
      TextField,
++    Q,
+     )
  from django.shortcuts import get_object_or_404
  from maasserver import DefaultMeta
@@ -55,6 +56,23 @@
          tag = get_object_or_404(Tag, name=name)
          return tag
++    def get_nodes(self, tag_name, user):
++        """Get the list of nodes that have this tag.
++
++        This list is restricted to only nodes that the user has VIEW permission
++        for.
++        """
++        tag = self.get_tag_or_404(name=tag_name, user=user)
++        # The privacy logic is taken from Node. Note that we could filter in
++        # python by iterating over all nodes and checking
++        #   user.has_perm(VIEW, node)
++        # It seems better to do this in the DB, though.
++        if user.is_superuser:
++            return tag.node_set.all()
++        else:
++            return tag.node_set.filter(
++                Q(owner__isnull=True) | Q(owner=user))
++
  class Tag(CleanSave, TimestampedModel):
      """A `Tag` is a label applied to a `Node`.
 === modified file 'src/maasserver/tests/test_api.py'
 --- src/maasserver/tests/test_api.py	2012-09-26 08:54:29 +0000
 +++ src/maasserver/tests/test_api.py	2012-09-26 12:32:23 +0000
@@ -2275,6 +2275,28 @@
          self.assertEqual([node1.system_id],
                           [r['system_id'] for r in parsed_result])
++    def test_POST_nodes_hides_invisible_nodes(self):
++        user2 = factory.make_user()
++        node1 = factory.make_node()
++        node1.set_hardware_details('<node><foo /></node>')
++        node2 = factory.make_node(status=NODE_STATUS.ALLOCATED, owner=user2)
++        node2.set_hardware_details('<node><bar /></node>')
++        tag = factory.make_tag(definition='/node')
++        tag.populate_nodes()
++        response = self.client.post(self.get_tag_uri(tag), {'op': 'nodes'})
++
++        self.assertEqual(httplib.OK, response.status_code)
++        parsed_result = json.loads(response.content)
++        self.assertEqual([node1.system_id],
++                         [r['system_id'] for r in parsed_result])
++        # However, for the other user, they should see the result
++        client2 = OAuthAuthenticatedClient(user2)
++        response = client2.post(self.get_tag_uri(tag), {'op': 'nodes'})
++        self.assertEqual(httplib.OK, response.status_code)
++        parsed_result = json.loads(response.content)
++        self.assertItemsEqual([node1.system_id, node2.system_id],
++                              [r['system_id'] for r in parsed_result])
++
      def test_PUT_invalid_definition(self):
          self.become_admin()
          node = factory.make_node()
 === modified file 'src/maasserver/tests/test_tag.py'
 --- src/maasserver/tests/test_tag.py	2012-09-26 08:40:33 +0000
 +++ src/maasserver/tests/test_tag.py	2012-09-26 12:32:23 +0000
@@ -15,6 +15,8 @@
  from django.db import transaction
  from django.db.utils import DatabaseError
  from maastesting.djangotestcase import TransactionTestCase
++from maasserver.enum import NODE_STATUS
++from maasserver.models import Tag
  from maasserver.testing.factory import factory
  from maasserver.testing.testcase import TestCase
@@ -79,6 +81,40 @@
          self.assertItemsEqual([tag1.name], node1.tag_names())
          self.assertItemsEqual([tag2.name], node2.tag_names())
++    def test_get_nodes_returns_unowned_nodes(self):
++        user1 = factory.make_user()
++        node1 = factory.make_node()
++        tag = factory.make_tag()
++        node1.tags.add(tag)
++        self.assertItemsEqual([node1], Tag.objects.get_nodes(tag.name, user1))
++
++    def test_get_nodes_returns_self_owned_nodes(self):
++        user1 = factory.make_user()
++        node1 = factory.make_node(owner=user1)
++        tag = factory.make_tag()
++        node1.tags.add(tag)
++        self.assertItemsEqual([node1], Tag.objects.get_nodes(tag.name, user1))
++
++    def test_get_nodes_doesnt_return_other_owned_nodes(self):
++        user1 = factory.make_user()
++        user2 = factory.make_user()
++        node1 = factory.make_node(owner=user1)
++        tag = factory.make_tag()
++        node1.tags.add(tag)
++        self.assertItemsEqual([], Tag.objects.get_nodes(tag.name, user2))
++
++    def test_get_nodes_returns_everything_for_superuser(self):
++        user1 = factory.make_user()
++        user2 = factory.make_user()
++        user2.is_superuser = True
++        node1 = factory.make_node(owner=user1)
++        node2 = factory.make_node()
++        tag = factory.make_tag()
++        node1.tags.add(tag)
++        node2.tags.add(tag)
++        self.assertItemsEqual([node1, node2],
++                              Tag.objects.get_nodes(tag.name, user2))
++
  class TestTagTransactions(TransactionTestCase):