def is_image_visible(self, image):
"""Return True if the image is visible in this context."""
# Is admin == image visible
if self.is_admin:
return True
# No owner == image visible
if image.owner is None:
return True
# Image is_public == image visible
if image.is_public:
return True
# Perform tests based on whether we have an owner
if self.owner is not None:
if self.owner == image.owner:
return True
# Figure out if this image is shared with that tenant
try:
db_api.image_member_find(self, image.id, self.owner)
return True
except exception.NotFound:
pass
# Private image
return False
def is_image_sharable(self, image, **kwargs):
"""Return True if the image can be shared to others in this context."""
# Only allow sharing if we have an owner
if self.owner is None:
return False
# Is admin == image sharable
if self.is_admin:
return True
# If we own the image, we can share it
if self.owner == image.owner:
return True
# Let's get the membership association
if 'membership' in kwargs:
membership = kwargs['membership']
if membership is None:
# Not shared with us anyway
return False
else:
try:
membership = db_api.image_member_find(self, image.id,
self.owner)
except exception.NotFound:
# Not shared with us anyway
return False
# It's the can_share attribute we're now interested in
return membership.can_share
def is_image_visible(self, image):
"""Return True if the image is visible in this context."""
# Is admin == image visible
if self.is_admin:
return True
# No owner == image visible
if image['owner'] is None:
return True
# Image is_public == image visible
if image['is_public']:
return True
# Perform tests based on whether we have an owner
if self.owner is not None:
if self.owner == image['owner']:
return True
# Figure out if this image is shared with that tenant
try:
tmp = db_api.image_member_find(self, image['id'], self.owner)
return not tmp['deleted']
except exception.NotFound:
pass
# Private image
return False
def is_image_sharable(self, image, **kwargs):
"""Return True if the image can be shared to others in this context."""
# Only allow sharing if we have an owner
if self.owner is None:
return False
# Is admin == image sharable
if self.is_admin:
return True
# If we own the image, we can share it
if self.owner == image['owner']:
return True
# Let's get the membership association
if 'membership' in kwargs:
membership = kwargs['membership']
if membership is None:
# Not shared with us anyway
return False
else:
try:
membership = db_api.image_member_find(self, image['id'],
self.owner)
except exception.NotFound:
# Not shared with us anyway
return False
# It's the can_share attribute we're now interested in
return membership['can_share']
def delete(self, req, image_id, id):
"""
Removes a membership from the image.
"""
if req.context.read_only:
raise webob.exc.HTTPForbidden()
elif req.context.owner is None:
raise webob.exc.HTTPUnauthorized(_("No authenticated user"))
# Make sure the image exists
try:
image = db_api.image_get(req.context, image_id)
except exception.NotFound:
raise webob.exc.HTTPNotFound()
except exception.NotAuthorized:
# If it's private and doesn't belong to them, don't let on
# that it exists
msg = _("Access by %(user)s to image %(id)s "
"denied") % ({
'user': req.context.user,
'id': image_id
})
logger.info(msg)
raise webob.exc.HTTPNotFound()
# Can they manipulate the membership?
if not req.context.is_image_sharable(image):
msg = _("No permission to share that image")
raise webob.exc.HTTPForbidden(msg)
# Look up an existing membership
try:
session = db_api.get_session()
member_ref = db_api.image_member_find(req.context,
image_id,
id,
session=session)
db_api.image_member_delete(req.context,
member_ref,
session=session)
except exception.NotFound:
pass
# Make an appropriate result
return webob.exc.HTTPNoContent()
def delete(self, req, image_id, id):
"""
Removes a membership from the image.
"""
if req.context.read_only:
raise webob.exc.HTTPForbidden()
elif req.context.owner is None:
raise webob.exc.HTTPUnauthorized(_("No authenticated user"))
# Make sure the image exists
try:
image = db_api.image_get(req.context, image_id)
except exception.NotFound:
raise webob.exc.HTTPNotFound()
except exception.NotAuthorized:
# If it's private and doesn't belong to them, don't let on
# that it exists
msg = _("Access by %(user)s to image %(id)s "
"denied") % ({'user': req.context.user,
'id': image_id})
logger.info(msg)
raise webob.exc.HTTPNotFound()
# Can they manipulate the membership?
if not req.context.is_image_sharable(image):
msg = _("No permission to share that image")
raise webob.exc.HTTPForbidden(msg)
# Look up an existing membership
try:
session = db_api.get_session()
member_ref = db_api.image_member_find(req.context,
image_id,
id,
session=session)
db_api.image_member_delete(req.context,
member_ref,
session=session)
except exception.NotFound:
pass
# Make an appropriate result
return webob.exc.HTTPNoContent()
class Controller(object):
def __init__(self, conf):
self.conf = conf
db_api.configure_db(conf)
def index(self, req, image_id):
"""
Get the members of an image.
"""
try:
image = db_api.image_get(req.context, image_id)
except exception.NotFound:
raise webob.exc.HTTPNotFound()
except exception.NotAuthorized:
# If it's private and doesn't belong to them, don't let on
# that it exists
msg = _("Access by %(user)s to image %(id)s "
"denied") % ({
'user': req.context.user,
'id': image_id
})
logger.info(msg)
raise webob.exc.HTTPNotFound()
return dict(members=make_member_list(
image['members'], member_id='member', can_share='can_share'))
def update_all(self, req, image_id, body):
"""
Replaces the members of the image with those specified in the
body. The body is a dict with the following format::
{"memberships": [
{"member_id": <MEMBER_ID>,
["can_share": [True|False]]}, ...
]}
"""
if req.context.read_only:
raise webob.exc.HTTPForbidden()
elif req.context.owner is None:
raise webob.exc.HTTPUnauthorized(_("No authenticated user"))
# Make sure the image exists
session = db_api.get_session()
try:
image = db_api.image_get(req.context, image_id, session=session)
except exception.NotFound:
raise webob.exc.HTTPNotFound()
except exception.NotAuthorized:
# If it's private and doesn't belong to them, don't let on
# that it exists
msg = _("Access by %(user)s to image %(id)s "
"denied") % ({
'user': req.context.user,
'id': image_id
})
logger.info(msg)
raise webob.exc.HTTPNotFound()
# Can they manipulate the membership?
if not req.context.is_image_sharable(image):
msg = _("No permission to share that image")
raise webob.exc.HTTPForbidden(msg)
# Get the membership list
try:
memb_list = body['memberships']
except Exception, e:
# Malformed entity...
msg = _("Invalid membership association: %s") % e
raise webob.exc.HTTPBadRequest(explanation=msg)
add = []
existing = {}
# Walk through the incoming memberships
for memb in memb_list:
try:
datum = dict(image_id=image['id'],
member=memb['member_id'],
can_share=None)
except Exception, e:
# Malformed entity...
msg = _("Invalid membership association: %s") % e
raise webob.exc.HTTPBadRequest(explanation=msg)
# Figure out what can_share should be
if 'can_share' in memb:
datum['can_share'] = bool(memb['can_share'])
# Try to find the corresponding membership
try:
membership = db_api.image_member_find(req.context,
datum['image_id'],
datum['member'],
session=session)
# Are we overriding can_share?
if datum['can_share'] is None:
datum['can_share'] = membership['can_share']
existing[membership['id']] = {
'values': datum,
'membership': membership,
}
except exception.NotFound:
# Default can_share
datum['can_share'] = bool(datum['can_share'])
add.append(datum)
# Determine the applicable can_share value
can_share = None
if body:
try:
can_share = bool(body['member']['can_share'])
except Exception, e:
# Malformed entity...
msg = _("Invalid membership association: %s") % e
raise webob.exc.HTTPBadRequest(explanation=msg)
# Look up an existing membership...
try:
session = db_api.get_session()
membership = db_api.image_member_find(req.context,
image_id,
id,
session=session)
if can_share is not None:
values = dict(can_share=can_share)
db_api.image_member_update(req.context,
membership,
values,
session=session)
except exception.NotFound:
values = dict(image_id=image['id'],
member=id,
can_share=bool(can_share))
db_api.image_member_create(req.context, values, session=session)
return webob.exc.HTTPNoContent()
# Determine the applicable can_share value
can_share = None
if body:
try:
can_share = bool(body['member']['can_share'])
except Exception, e:
# Malformed entity...
msg = _("Invalid membership association: %s") % e
raise webob.exc.HTTPBadRequest(explanation=msg)
# Look up an existing membership...
try:
session = db_api.get_session()
membership = db_api.image_member_find(req.context,
image_id, id,
session=session)
if can_share is not None:
values = dict(can_share=can_share)
db_api.image_member_update(req.context, membership, values,
session=session)
except exception.NotFound:
values = dict(image_id=image['id'], member=id,
can_share=bool(can_share))
db_api.image_member_create(req.context, values, session=session)
return webob.exc.HTTPNoContent()
def delete(self, req, image_id, id):
"""
Removes a membership from the image.
datum = dict(image_id=image['id'],
member=memb['member_id'],
can_share=None)
except Exception, e:
# Malformed entity...
msg = _("Invalid membership association: %s") % e
raise exc.HTTPBadRequest(explanation=msg)
# Figure out what can_share should be
if 'can_share' in memb:
datum['can_share'] = bool(memb['can_share'])
# Try to find the corresponding membership
try:
membership = db_api.image_member_find(req.context,
datum['image_id'],
datum['member'],
session=session)
# Are we overriding can_share?
if datum['can_share'] is None:
datum['can_share'] = membership['can_share']
existing[membership['id']] = {
'values': datum,
'membership': membership,
}
except exception.NotFound:
# Default can_share
datum['can_share'] = bool(datum['can_share'])
add.append(datum)
datum = dict(image_id=image['id'],
member=memb['member_id'],
can_share=None)
except Exception, e:
# Malformed entity...
msg = _("Invalid membership association: %s") % e
raise exc.HTTPBadRequest(explanation=msg)
# Figure out what can_share should be
if 'can_share' in memb:
datum['can_share'] = bool(memb['can_share'])
# Try to find the corresponding membership
try:
membership = db_api.image_member_find(req.context,
datum['image_id'],
datum['member'],
session=session)
# Are we overriding can_share?
if datum['can_share'] is None:
datum['can_share'] = membership['can_share']
existing[membership['id']] = {
'values': datum,
'membership': membership,
}
except exception.NotFound:
# Default can_share
datum['can_share'] = bool(datum['can_share'])
add.append(datum)