From 7b3fcd17eaa8a67937c0baa2c46a36e1140c5209 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Mon, 9 May 2016 12:07:30 +0200 Subject: [PATCH 1/2] Check user permission before delete or resize Else a user without these permission could delete or resize and instance by forging a good post request. --- instances/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/instances/views.py b/instances/views.py index 0109631..e19c632 100644 --- a/instances/views.py +++ b/instances/views.py @@ -260,7 +260,7 @@ def instance(request, compute_id, vname): addlogmsg(request.user.username, instance.name, msg) return HttpResponseRedirect(request.get_full_path() + '#powerforce') - if 'delete' in request.POST: + if 'delete' in request.POST and (request.user.is_superuser or userinstace.is_delete): if conn.get_status() == 1: conn.force_shutdown() if request.POST.get('delete_disk', ''): @@ -330,7 +330,7 @@ def instance(request, compute_id, vname): msg = _("Please shutdow down your instance and then try again") error_messages.append(msg) - if 'resize' in request.POST: + if 'resize' in request.POST and (request.user.is_superuser or userinstace.is_change): vcpu = request.POST.get('vcpu', '') cur_vcpu = request.POST.get('cur_vcpu', '') memory = request.POST.get('memory', '') From 7efbfec17f7adaf0a774a4cfdbb1686032cfe11e Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Mon, 9 May 2016 12:08:31 +0200 Subject: [PATCH 2/2] Add an option to allow an user to change VNC settings --- .../migrations/0004_userinstance_is_vnc.py | 19 +++++++++++++++++++ accounts/models.py | 1 + accounts/templates/account.html | 11 +++++++++++ accounts/views.py | 2 ++ instances/templates/instance.html | 8 ++++++++ instances/views.py | 2 ++ 6 files changed, 43 insertions(+) create mode 100644 accounts/migrations/0004_userinstance_is_vnc.py diff --git a/accounts/migrations/0004_userinstance_is_vnc.py b/accounts/migrations/0004_userinstance_is_vnc.py new file mode 100644 index 0000000..9c1c9b8 --- /dev/null +++ b/accounts/migrations/0004_userinstance_is_vnc.py @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('accounts', '0003_usersshkey'), + ] + + operations = [ + migrations.AddField( + model_name='userinstance', + name='is_vnc', + field=models.BooleanField(default=False), + ), + ] diff --git a/accounts/models.py b/accounts/models.py index 15cedee..20efc6f 100644 --- a/accounts/models.py +++ b/accounts/models.py @@ -8,6 +8,7 @@ class UserInstance(models.Model): instance = models.ForeignKey(Instance) is_change = models.BooleanField(default=False) is_delete = models.BooleanField(default=False) + is_vnc = models.BooleanField(default=False) def __unicode__(self): return self.instance.name diff --git a/accounts/templates/account.html b/accounts/templates/account.html index b6a8b6c..c8d8c19 100644 --- a/accounts/templates/account.html +++ b/accounts/templates/account.html @@ -29,6 +29,7 @@ # {% trans "Instance" %} + {% trans "VNC" %} {% trans "Resize" %} {% trans "Delete" %} {% trans "Action" %} @@ -39,6 +40,7 @@ {{ forloop.counter }} {{ inst.instance.name }} + {{ inst.is_vnc }} {{ inst.is_change }} {{ inst.is_delete }} @@ -57,6 +59,15 @@
{% csrf_token %} +
+ +
+ +
+
diff --git a/accounts/views.py b/accounts/views.py index d2893bb..3b6a63e 100644 --- a/accounts/views.py +++ b/accounts/views.py @@ -151,11 +151,13 @@ def account(request, user_id): return HttpResponseRedirect(request.get_full_path()) if 'permission' in request.POST: user_inst = request.POST.get('user_inst', '') + inst_vnc = request.POST.get('inst_vnc', '') inst_change = request.POST.get('inst_change', '') inst_delete = request.POST.get('inst_delete', '') edit_user_inst = UserInstance.objects.get(id=user_inst) edit_user_inst.is_change = bool(inst_change) edit_user_inst.is_delete = bool(inst_delete) + edit_user_inst.is_vnc = bool(inst_vnc) edit_user_inst.save() return HttpResponseRedirect(request.get_full_path()) if 'add' in request.POST: diff --git a/instances/templates/instance.html b/instances/templates/instance.html index c3baecc..36e7afa 100644 --- a/instances/templates/instance.html +++ b/instances/templates/instance.html @@ -477,11 +477,15 @@ {% trans "Autostart" %} + {% endif %} + {% if request.user.is_superuser or userinstace.is_vnc %}
  • {% trans "VNC" %}
    • + {% endif %} + {% if request.user.is_superuser %}
  • {% trans "Clone" %} @@ -551,6 +555,8 @@
    • + {% endif %} + {% if request.user.is_superuser or userinstace.is_vnc %}

    {% trans "To set console's type, shutdown the instance." %}

    {% csrf_token %} @@ -643,6 +649,8 @@
    + {% endif %} + {% if request.user.is_superuser %}

    {% trans "Create a clone" %}

    {% csrf_token %} diff --git a/instances/views.py b/instances/views.py index e19c632..4d29df8 100644 --- a/instances/views.py +++ b/instances/views.py @@ -418,6 +418,7 @@ def instance(request, compute_id, vname): addlogmsg(request.user.username, instance.name, msg) return HttpResponseRedirect(request.get_full_path() + '#xmledit') + if request.user.is_superuser or userinstace.is_vnc: if 'set_console_passwd' in request.POST: if request.POST.get('auto_pass', ''): passwd = randomPasswd() @@ -456,6 +457,7 @@ def instance(request, compute_id, vname): addlogmsg(request.user.username, instance.name, msg) return HttpResponseRedirect(request.get_full_path() + '#vncsettings') + if request.user.is_superuser: if 'migrate' in request.POST: compute_id = request.POST.get('compute_id', '') live = request.POST.get('live_migrate', False)