|
| 1 | +From 4aacbc95cb8a1671017425794029eaa112cdcefe Mon Sep 17 00:00:00 2001 |
| 2 | +From: Dong Ma <dong.ma@vexxhost.com> |
| 3 | +Date: Tue, 21 Oct 2025 11:44:15 +0000 |
| 4 | +Subject: [PATCH] Don't send enable_port_security when disallowed by policy |
| 5 | + |
| 6 | +When a user creates a network port, if they don't have the rights |
| 7 | +to change port security, they will be unable to submit the form. |
| 8 | +The solution is to not send any value for port security when the |
| 9 | +user doesn't have the rights to change it. |
| 10 | + |
| 11 | +Change-Id: I70d15b71083c3934ed48f24765b42a62daf58cf8 |
| 12 | +Signed-off-by: Dong Ma <dong.ma@vexxhost.com> |
| 13 | +(cherry picked from commit 4b933df52ae64314b26c2d8028203b70091736c9) |
| 14 | +--- |
| 15 | + |
| 16 | +diff --git a/openstack_dashboard/dashboards/admin/networks/ports/tests.py b/openstack_dashboard/dashboards/admin/networks/ports/tests.py |
| 17 | +index b9f33f3..d6bb6f4 100644 |
| 18 | +--- a/openstack_dashboard/dashboards/admin/networks/ports/tests.py |
| 19 | ++++ b/openstack_dashboard/dashboards/admin/networks/ports/tests.py |
| 20 | +@@ -216,7 +216,7 @@ |
| 21 | + self.assertRedirectsNoFollow(res, redir_url) |
| 22 | + |
| 23 | + self.assert_mock_multiple_calls_with_same_arguments( |
| 24 | +- self.mock_network_get, 2, |
| 25 | ++ self.mock_network_get, 3, |
| 26 | + mock.call(test.IsHttpRequest(), network.id)) |
| 27 | + self.mock_security_group_list.assert_called_once_with( |
| 28 | + test.IsHttpRequest(), tenant_id='1') |
| 29 | +@@ -284,7 +284,7 @@ |
| 30 | + self.assertRedirectsNoFollow(res, redir_url) |
| 31 | + |
| 32 | + self.assert_mock_multiple_calls_with_same_arguments( |
| 33 | +- self.mock_network_get, 2, |
| 34 | ++ self.mock_network_get, 3, |
| 35 | + mock.call(test.IsHttpRequest(), network.id)) |
| 36 | + self._check_is_extension_supported( |
| 37 | + {'mac-learning': 1, |
| 38 | +@@ -363,7 +363,7 @@ |
| 39 | + self.assertRedirectsNoFollow(res, redir_url) |
| 40 | + |
| 41 | + self.assert_mock_multiple_calls_with_same_arguments( |
| 42 | +- self.mock_network_get, 2, |
| 43 | ++ self.mock_network_get, 3, |
| 44 | + mock.call(test.IsHttpRequest(), network.id)) |
| 45 | + self._check_is_extension_supported( |
| 46 | + {'mac-learning': 1, |
| 47 | +diff --git a/openstack_dashboard/dashboards/project/networks/ports/tests.py b/openstack_dashboard/dashboards/project/networks/ports/tests.py |
| 48 | +index 8b9b722..f091b9c 100644 |
| 49 | +--- a/openstack_dashboard/dashboards/project/networks/ports/tests.py |
| 50 | ++++ b/openstack_dashboard/dashboards/project/networks/ports/tests.py |
| 51 | +@@ -624,7 +624,7 @@ |
| 52 | + self.assertRedirectsNoFollow(res, redir_url) |
| 53 | + |
| 54 | + self.assert_mock_multiple_calls_with_same_arguments( |
| 55 | +- self.mock_network_get, 2, |
| 56 | ++ self.mock_network_get, 3, |
| 57 | + mock.call(test.IsHttpRequest(), network.id)) |
| 58 | + self._check_is_extension_supported({'binding': 1, |
| 59 | + 'mac-learning': 1, |
| 60 | +@@ -769,7 +769,7 @@ |
| 61 | + self.assertRedirectsNoFollow(res, redir_url) |
| 62 | + |
| 63 | + self.assert_mock_multiple_calls_with_same_arguments( |
| 64 | +- self.mock_network_get, 2, |
| 65 | ++ self.mock_network_get, 3, |
| 66 | + mock.call(test.IsHttpRequest(), network.id)) |
| 67 | + self._check_is_extension_supported({'binding': 1, |
| 68 | + 'mac-learning': 1, |
| 69 | +diff --git a/openstack_dashboard/dashboards/project/networks/ports/workflows.py b/openstack_dashboard/dashboards/project/networks/ports/workflows.py |
| 70 | +index 2ad7995..02afcd9 100644 |
| 71 | +--- a/openstack_dashboard/dashboards/project/networks/ports/workflows.py |
| 72 | ++++ b/openstack_dashboard/dashboards/project/networks/ports/workflows.py |
| 73 | +@@ -24,6 +24,7 @@ |
| 74 | + |
| 75 | + from openstack_dashboard import api |
| 76 | + from openstack_dashboard.dashboards.project.networks.ports import sg_base |
| 77 | ++from openstack_dashboard import policy |
| 78 | + from openstack_dashboard.utils import filters |
| 79 | + from openstack_dashboard.utils import settings as setting_utils |
| 80 | + |
| 81 | +@@ -248,6 +249,25 @@ |
| 82 | + def handle(self, request, context): |
| 83 | + try: |
| 84 | + params = self._construct_parameters(context) |
| 85 | ++ network_id = context['network_id'] |
| 86 | ++ try: |
| 87 | ++ network = api.neutron.network_get(self.request, network_id) |
| 88 | ++ except Exception: |
| 89 | ++ network = None |
| 90 | ++ if ( |
| 91 | ++ not policy.check( |
| 92 | ++ (("network", "create_port:port_security_enabled"),), |
| 93 | ++ request, |
| 94 | ++ { |
| 95 | ++ 'network_id': context['network_id'], |
| 96 | ++ 'tenant_id': context['target_tenant_id'], |
| 97 | ++ 'network:tenant_id': getattr( |
| 98 | ++ network, 'tenant_id', None |
| 99 | ++ ), |
| 100 | ++ } |
| 101 | ++ ) and params.get('port_security_enabled', True) |
| 102 | ++ ): |
| 103 | ++ params.pop('port_security_enabled') |
| 104 | + port = api.neutron.port_create(request, **params) |
| 105 | + self.context['port_id'] = port.id |
| 106 | + return True |
| 107 | +diff --git a/releasenotes/notes/donot-send-enable_port_security-when-disallowed-by-policy-aa3afc4ec7258fd4.yaml b/releasenotes/notes/donot-send-enable_port_security-when-disallowed-by-policy-aa3afc4ec7258fd4.yaml |
| 108 | +new file mode 100644 |
| 109 | +index 0000000..b0db4c4 |
| 110 | +--- /dev/null |
| 111 | ++++ b/releasenotes/notes/donot-send-enable_port_security-when-disallowed-by-policy-aa3afc4ec7258fd4.yaml |
| 112 | +@@ -0,0 +1,8 @@ |
| 113 | ++--- |
| 114 | ++features: |
| 115 | ++ - | |
| 116 | ++ Don't send enable_port_security when disallowed by policy. When a user |
| 117 | ++ creates a network port, if they don't have the rights to change port |
| 118 | ++ security, they will be unable to submit the form. The solution is to not |
| 119 | ++ send any value for port security when the user doesn't have the rights |
| 120 | ++ to change it. |
0 commit comments