From b8567d60602280aba294cbea99dbf10c9bbb321b Mon Sep 17 00:00:00 2001 From: David Lyle Date: Fri, 18 Nov 2016 15:45:22 -0700 Subject: Fix policy check short circuit The check() method was broken during a refactor and now only checks the first result in the list and then returns that result. This patch restores the AND functionality of check and only short circuits on a failed result. Closes-Bug: #1643082 Change-Id: I7d976299de2a35b81ced29d2c3f265da62f20eff --- openstack_auth/policy.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/openstack_auth/policy.py b/openstack_auth/policy.py index 3047a90..81fc7c2 100644 --- a/openstack_auth/policy.py +++ b/openstack_auth/policy.py @@ -75,7 +75,8 @@ def check(actions, request, target=None): to policy setting. :param actions: list of scope and action to do policy checks on, - the composition of which is (scope, action) + the composition of which is (scope, action). Multiple actions + are treated as a logical AND. * scope: service type managing the policy for action @@ -153,12 +154,16 @@ def check(actions, request, target=None): # needed when a domain scoped token is present if scope == 'identity' and domain_credentials: # use domain credentials - return _check_credentials( - enforcer[scope], action, target, domain_credentials) + if not _check_credentials(enforcer[scope], + action, + target, + domain_credentials): + return False # use project credentials - return _check_credentials( - enforcer[scope], action, target, credentials) + if not _check_credentials(enforcer[scope], + action, target, credentials): + return False # if no policy for scope, allow action, underlying API will # ultimately block the action if not permitted, treat as though -- cgit v1.2.1