diff options
author | David Gutman <david.gutman@thalesgroup.com> | 2018-01-03 14:25:46 +0100 |
---|---|---|
committer | Akihiro Motoki <amotoki@gmail.com> | 2018-02-02 21:24:33 +0900 |
commit | 3f585d3b1efca1b2379d6c0a80246fd6e5a87640 (patch) | |
tree | 8cdbb12950a2d36ef1c540e1b5852e3f9376ee67 /horizon | |
parent | 02119d856259d04b9994adc8a3bdad68ecb4008a (diff) | |
download | horizon-3f585d3b1efca1b2379d6c0a80246fd6e5a87640.tar.gz |
Views accessible via url even if user doesn't match policy rules
When a user doesn't match the policy rules of a panel then the panel tab
is removed from the menu of the left, but panel views are still
accessible using directly the url (ex /admin/flavors/).
In most of the case, views won't work correctly because of the lack of
right in the backend, but it may cause trouble when you play with
policies.
I think it could be more elegant to return directly a "You are not
authorized to access this page" from the frontend when user try to
access a view of a panel (via url) without matching the policy rules.
Change-Id: I7bc93fed29568adfc14d5bcadfc8728d3b5cf633
Closes-Bug: #1741051
Diffstat (limited to 'horizon')
-rw-r--r-- | horizon/base.py | 3 | ||||
-rw-r--r-- | horizon/decorators.py | 23 |
2 files changed, 26 insertions, 0 deletions
diff --git a/horizon/base.py b/horizon/base.py index dfbe59a75..cb3becd23 100644 --- a/horizon/base.py +++ b/horizon/base.py @@ -43,6 +43,7 @@ import six from horizon import conf from horizon.decorators import _current_component from horizon.decorators import require_auth +from horizon.decorators import require_component_access from horizon.decorators import require_perms from horizon import loaders from horizon.utils import settings as utils_settings @@ -320,6 +321,8 @@ class Panel(HorizonComponent): # Apply access controls to all views in the patterns permissions = getattr(self, 'permissions', []) _decorate_urlconf(urlpatterns, require_perms, permissions) + _decorate_urlconf( + urlpatterns, require_component_access, component=self) _decorate_urlconf(urlpatterns, _current_component, panel=self) # Return the three arguments to django.conf.urls.include diff --git a/horizon/decorators.py b/horizon/decorators.py index 7be22ef44..dd4fe776b 100644 --- a/horizon/decorators.py +++ b/horizon/decorators.py @@ -90,3 +90,26 @@ def require_perms(view_func, required): return dec else: return view_func + + +def require_component_access(view_func, component): + """Perform component can_access check to access the view. + + :param component containing the view (panel or dashboard). + + Raises a :exc:`~horizon.exceptions.NotAuthorized` exception if the + user cannot access the component containing the view. + By example the check of component policy rules will be applied to its + views. + """ + from horizon.exceptions import NotAuthorized + + @functools.wraps(view_func, assigned=available_attrs(view_func)) + def dec(request, *args, **kwargs): + if not component.can_access({'request': request}): + raise NotAuthorized(_("You are not authorized to access %s") + % request.path) + + return view_func(request, *args, **kwargs) + + return dec |