1
0
Fork 0
mirror of https://github.com/retspen/webvirtcloud synced 2024-12-25 15:45:23 +00:00

Check user permission before delete or resize

Else a user without these permission could delete or resize and instance
by forging a good post request.
This commit is contained in:
Valentin Samir 2016-05-09 12:07:30 +02:00
parent 4ce76f57c6
commit 7b3fcd17ea

View file

@ -260,7 +260,7 @@ def instance(request, compute_id, vname):
addlogmsg(request.user.username, instance.name, msg) addlogmsg(request.user.username, instance.name, msg)
return HttpResponseRedirect(request.get_full_path() + '#powerforce') return HttpResponseRedirect(request.get_full_path() + '#powerforce')
if 'delete' in request.POST: if 'delete' in request.POST and (request.user.is_superuser or userinstace.is_delete):
if conn.get_status() == 1: if conn.get_status() == 1:
conn.force_shutdown() conn.force_shutdown()
if request.POST.get('delete_disk', ''): if request.POST.get('delete_disk', ''):
@ -330,7 +330,7 @@ def instance(request, compute_id, vname):
msg = _("Please shutdow down your instance and then try again") msg = _("Please shutdow down your instance and then try again")
error_messages.append(msg) error_messages.append(msg)
if 'resize' in request.POST: if 'resize' in request.POST and (request.user.is_superuser or userinstace.is_change):
vcpu = request.POST.get('vcpu', '') vcpu = request.POST.get('vcpu', '')
cur_vcpu = request.POST.get('cur_vcpu', '') cur_vcpu = request.POST.get('cur_vcpu', '')
memory = request.POST.get('memory', '') memory = request.POST.get('memory', '')