Skip to content

Commit

Permalink
YDA-5541: Allow functionaladminpriv to create deposit grp
Browse files Browse the repository at this point in the history
  • Loading branch information
@claravox
claravox committed Jan 3, 2024
1 parent b886fdd commit 585c21d
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 3 deletions.
5 changes: 3 additions & 2 deletions iiDatamanagerPolicies.r
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ iiCanDatamanagerAclSet(*objPath, *actor, *otherName, *recursive, *accessLevel, *
uuGroupExists(*otherName, *datamanagerExists);
if (!*datamanagerExists) {
*allowed = false;
*reason = "User is not a datamanager or *otherName does not exists.";
*reason = "User is not a datamanager or *otherName does not exist.";
succeed;
}
uuGroupGetMemberType(*otherName, *actor, *userTypeIfDatamanager);
Expand Down Expand Up @@ -187,7 +187,8 @@ iiCanDatamanagerAclSet(*objPath, *actor, *otherName, *recursive, *accessLevel, *
}
}

# fallback to prevent users defining and using there own iiCanDatamanagerAclSet. This is also reached when the frontend requests a status change it is not allowed to
# fallback to prevent users defining and using their own iiCanDatamanagerAclSet.
# This is also reached when the frontend requests a status change it is not allowed to do.
on (true) {
*allowed = false;
*reason = "Current status of folder *objPath is not 'submitted', 'accepted' or 'rejected'. Therefore the requested action can not be completed as a datamanager.";
Expand Down
15 changes: 14 additions & 1 deletion uuGroupPolicies.r
View file
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,19 @@ uuGroupPreSudoObjAclSet(*recursive, *accessLevel, *otherName, *objPath, *policyK
# 'read-|vault-' group.
succeed;
}
} else if (*accessLevel == "noinherit") {
*forGroup = *policyKv."forGroup";
uuGetBaseGroup(*forGroup, *baseGroup);
uuGroupUserIsManager(*baseGroup, uuClientFullName, *isManagerInBaseGroup);
if (
*forGroup like regex "(deposit)-.*"
&& *isManagerInBaseGroup
&& *objPath == "/$rodsZoneClient/home/*forGroup") {
# Allow for deposit groups if the client is a manager
# in the basegroup of *forGroup,
# and *objPath is *forGroup's home directory.
succeed;
}
}

fail;
Expand Down Expand Up @@ -572,11 +585,11 @@ uuPostSudoGroupAdd(*groupName, *initialAttr, *initialValue, *initialUnit, *polic
}

uuPostSudoGroupRemove(*groupName, *policyKv) {
uuChop(*groupName, *_, *baseName, "-", true);
if (*groupName like regex "(intake|research)-.*") {
# This is a group manager managed group with a read-only counterpart.
# Clean up the read-only shadow group.

uuChop(*groupName, *_, *baseName, "-", true);
*roGroupName = "read-*baseName";
msiSudoGroupRemove(*roGroupName, "");

Expand Down

0 comments on commit 585c21d

Please sign in to comment.