diff options
| author | Timur Sufiev <tsufiev@mirantis.com> | 2014-12-24 10:23:00 -0800 |
|---|---|---|
| committer | Timur Sufiev <tsufiev@mirantis.com> | 2016-06-08 12:47:40 +0300 |
| commit | 4328c72af1608238a3fd93f583b115b661745ada (patch) | |
| tree | f93959e55f169e0beb41cd38855ce19af39d5b46 /horizon/test | |
| parent | a45b6b9660c755a48c9b3ff44e4d1d6034f73c8e (diff) | |
| download | horizon-4328c72af1608238a3fd93f583b115b661745ada.tar.gz | |
Enhance policy rules to workflow actions
Policy rules are a more flexible way (than permissions) to determine
what Dashboards/Panels/Table actions are visible for the given
user. But workflow actions (and thus workflow steps) do not use
them. As a consequence, there are situations when according to the
backend service policies (e.g. Neutron) an action represented by a
workflow step is denied for the user (e.g. user is not permitted to
create subnets), yet he sees the corresponding steps in Horizon,
provides and submits the data which leads to an error from Neutron
side. More appropriate behavior here for Horizon would be to not show
to the user the workflow steps he is not able to complete - and if
these steps are required for successfully completing the workflow,
make him unable to start the workflow itself.
Implements: blueprint add-policy-rules-to-workflow-actions
Change-Id: Idededa3dee361e4a42106921a9f332a69c14ae21
Diffstat (limited to 'horizon/test')
| -rw-r--r-- | horizon/test/tests/workflows.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/horizon/test/tests/workflows.py b/horizon/test/tests/workflows.py index f5e2943a7..cec60f21f 100644 --- a/horizon/test/tests/workflows.py +++ b/horizon/test/tests/workflows.py @@ -14,6 +14,7 @@ from django import forms from django import http +import mock import six @@ -81,6 +82,15 @@ class AdminAction(workflows.Action): permissions = ("horizon.test",) +class AdminForbiddenAction(workflows.Action): + admin_id = forms.CharField(label="Admin forbidden") + + class Meta(object): + name = "Admin Action" + slug = "admin_action" + policy_rules = (('action', 'forbidden'),) + + class TestStepOne(workflows.Step): action_class = TestActionOne contributes = ("project_id", "user_id") @@ -111,6 +121,10 @@ class AdminStep(workflows.Step): before = TestStepTwo +class AdminForbiddenStep(workflows.Step): + action_class = AdminForbiddenAction + + class TestWorkflow(workflows.Workflow): slug = "test_workflow" default_steps = (TestStepOne, TestStepTwo) @@ -135,6 +149,10 @@ class TestFullscreenWorkflowView(workflows.WorkflowView): class WorkflowsTests(test.TestCase): def setUp(self): super(WorkflowsTests, self).setUp() + self.policy_patcher = mock.patch( + 'openstack_auth.policy.check', lambda action, request: True) + self.policy_check = self.policy_patcher.start() + self.addCleanup(mock.patch.stopall) def tearDown(self): super(WorkflowsTests, self).tearDown() @@ -294,6 +312,21 @@ class WorkflowsTests(test.TestCase): '<AdminStep: admin_action>', '<TestStepTwo: test_action_two>']) + def test_step_is_hidden_on_policy(self): + self.policy_patcher.stop() + + def policy_check(action, request): + if action == (('action', 'forbidden'),): + return False + return True + + with mock.patch('openstack_auth.policy.check', policy_check): + TestWorkflow.register(AdminForbiddenStep) + flow = TestWorkflow(self.request) + output = http.HttpResponse(flow.render()) + self.assertNotContains(output, + six.text_type(AdminForbiddenAction.name)) + def test_entry_point(self): req = self.factory.get("/foo") flow = TestWorkflow(req) |