diff options
| author | Jenkins <jenkins@review.openstack.org> | 2017-01-19 21:02:21 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2017-01-19 21:02:21 +0000 |
| commit | 75f274da9491f4dcb729640f46a3dabf26a18562 (patch) | |
| tree | c709354df1725ffafad6eabf95771b5bcc1160c9 | |
| parent | 6d82a31ba70a3182ef9811ea9eea2c49e0c03bac (diff) | |
| parent | b8567d60602280aba294cbea99dbf10c9bbb321b (diff) | |
| download | django_openstack_auth-75f274da9491f4dcb729640f46a3dabf26a18562.tar.gz | |
Merge "Fix policy check short circuit"
| -rw-r--r-- | openstack_auth/policy.py | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 3047a90..81fc7c2 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -75,7 +75,8 @@ def check(actions, request, target=None): to policy setting. :param actions: list of scope and action to do policy checks on, - the composition of which is (scope, action) + the composition of which is (scope, action). Multiple actions + are treated as a logical AND. * scope: service type managing the policy for action @@ -153,12 +154,16 @@ def check(actions, request, target=None): # needed when a domain scoped token is present if scope == 'identity' and domain_credentials: # use domain credentials - return _check_credentials( - enforcer[scope], action, target, domain_credentials) + if not _check_credentials(enforcer[scope], + action, + target, + domain_credentials): + return False # use project credentials - return _check_credentials( - enforcer[scope], action, target, credentials) + if not _check_credentials(enforcer[scope], + action, target, credentials): + return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though |