Based on the HEAD of the master at 2016/09/16.
- spec/unit/access/app_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/app_access_spec.rb#L69
45 context 'space developer' do
...
69 it_behaves_like :read_only_access
- spec/unit/access/organization_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/organization_access_spec.rb#L61
43 context 'a manager for the organization' do
...
61 it_behaves_like :read_only_access
- spec/unit/access/private_domain_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/private_domain_access_spec.rb#L30
24 context 'organization manager' do
...
30 it_behaves_like :read_only_access
- spec/unit/access/route_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/route_access_spec.rb#L53
47 context 'organization manager' do
...
53 it_behaves_like :read_only_access
- spec/unit/access/service_binding_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/service_binding_access_spec.rb#L116-L119
105 context 'space developer' do
...
116 it { is_expected.to allow_op_on_object :read, object }
117 it { is_expected.not_to allow_op_on_object :read_for_update, object }
118 it { is_expected.not_to allow_op_on_object :update, object }
119 it { is_expected.to allow_op_on_object :index, object.class }
- spec/unit/access/service_instance_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/service_instance_access_spec.rb#L75-L77
64 context 'space developer' do
...
75 it_behaves_like :read_only_access do
76 let(:object) { service_instance }
77 end
- spec/unit/access/service_key_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/service_key_access_spec.rb#L86
72 context 'space developer' do
...
86 it_behaves_like :read_only_access
- spec/unit/access/space_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/space_access_spec.rb#L23
17 context 'as an organization manager' do
...
23 it_behaves_like :read_only_access
- spec/unit/access/space_quota_definition_access_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/access/space_quota_definition_access_spec.rb#L24
17 context 'organization manager' do
...
24 it_behaves_like :read_only_access
- spec/unit/controllers/runtime/apps_controller_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/controllers/runtime/apps_controller_spec.rb#L168-L169
9 set_current_user(non_admin_user)
...
168 post '/v2/apps', MultiJson.dump(initial_hash)
169 expect(last_response.status).to eq(403)
- spec/unit/lib/cloud_controller/membership_spec.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/unit/lib/cloud_controller/membership_spec.rb#L312-L320
312 it 'returns false' do
313 result = membership.has_any_roles?([
314 Membership::ORG_MEMBER,
315 Membership::ORG_MANAGER,
316 Membership::ORG_AUDITOR,
317 Membership::ORG_BILLING_MANAGER],
318 nil, organization.guid)
319 expect(result).to be_falsey
320 end
REFERENCE: spec/support/shared_examples/access/access_levels.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/spec/support/shared_examples/access/access_levels.rb#L10-L18
10shared_examples :read_only_access do
11 it { is_expected.not_to allow_op_on_object :create, object }
12 it { is_expected.to allow_op_on_object :read, object }
13 it { is_expected.not_to allow_op_on_object :read_for_update, object }
14 # update only runs if read_for_update succeeds
15 it { is_expected.not_to allow_op_on_object :update, object }
16 it { is_expected.not_to allow_op_on_object :delete, object }
17 it { is_expected.to allow_op_on_object :index, object.class }
18end
- app/access/app_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/app_access.rb#L3-L31
3 def create?(app, params=nil)
4 return true if admin_user?
5 return false if app.in_suspended_org?
6 app.space.has_developer?(context.user)
7 end
8
9 def read_for_update?(app, params=nil)
10 return true if admin_user?
11 return false unless create?(app, params)
12 return true if params.nil?
13
14 if %w(instances memory disk_quota).any? { |k| params.key?(k) && params[k] != app.send(k.to_sym) }
15 FeatureFlag.raise_unless_enabled!(:app_scaling)
16 end
17
18 if !Config.config[:users_can_select_backend] && params.key?('diego') && params['diego'] != app.diego
19 raise CloudController::Errors::ApiError.new_from_details('BackendSelectionNotAuthorized')
20 end
21
22 true
23 end
24
25 def update?(app, params=nil)
26 create?(app, params)
27 end
28
29 def delete?(app)
30 create?(app)
31 end
- app/access/private_domain_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/private_domain_access.rb#L3-L22
3 def create?(private_domain, params=nil)
4 return true if admin_user?
5 return false unless update?(private_domain, params)
6 FeatureFlag.raise_unless_enabled!(:private_domain_creation)
7 true
8 end
9
10 def read_for_update?(private_domain, params=nil)
11 update?(private_domain)
12 end
13
14 def update?(private_domain, params=nil)
15 return true if admin_user?
16 return false if private_domain.in_suspended_org?
17 private_domain.owning_organization.managers.include?(context.user)
18 end
19
20 def delete?(private_domain)
21 update?(private_domain)
22 end
- app/access/route_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/route_access.rb#L3-L24
3 def create?(route, params=nil)
4 return true if admin_user?
5 return false if route.in_suspended_org?
6 return false if route.host == '*' && route.domain.shared?
7 FeatureFlag.raise_unless_enabled!(:route_creation)
8 route.space.has_developer?(context.user)
9 end
10
11 def read_for_update?(route, params=nil)
12 update?(route, params)
13 end
14
15 def update?(route, params=nil)
16 return true if admin_user?
17 return false if route.in_suspended_org?
18 return false if route.host == '*' && route.domain.shared?
19 route.space.has_developer?(context.user)
20 end
21
22 def delete?(route)
23 update?(route)
24 end
- app/access/route_binding_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/route_binding_access.rb#L3-L11
3 def create?(service_binding, params=nil)
4 return true if admin_user?
5 return false if service_binding.in_suspended_org?
6 service_binding.space.has_developer?(context.user)
7 end
8
9 def delete?(service_binding)
10 create?(service_binding)
11 end
- app/access/route_mapping_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/route_mapping_access.rb#L3-L19
3 def create?(route_mapping, params=nil)
4 return true if admin_user?
5 return false if route_mapping.route.in_suspended_org?
6 route_mapping.route.space.has_developer?(context.user)
7 end
8
9 def read_for_update?(route_mapping, params=nil)
10 create?(route_mapping)
11 end
12
13 def update?(route_mapping, params=nil)
14 read_for_update?(route_mapping, params)
15 end
16
17 def delete?(route_mapping)
18 create?(route_mapping)
19 end
- app/access/service_instance_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/service_instance_access.rb#L3-L24
3 def create?(service_instance, params=nil)
4 return true if admin_user?
5 FeatureFlag.raise_unless_enabled!(:service_instance_creation)
6 return false if service_instance.in_suspended_org?
7 service_instance.space.has_developer?(context.user) && allowed?(service_instance)
8 end
9
10 def read_for_update?(service_instance, params=nil)
11 return true if admin_user?
12 return false if service_instance.in_suspended_org?
13 service_instance.space.has_developer?(context.user)
14 end
15
16 def update?(service_instance, params=nil)
17 read_for_update?(service_instance, params) && allowed?(service_instance)
18 end
19
20 def delete?(service_instance)
21 return true if admin_user?
22 return false if service_instance.in_suspended_org?
23 service_instance.space.has_developer?(context.user)
24 end
- app/access/service_key_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/service_key_access.rb#L3-L16
3 def create?(service_key, params=nil)
4 return true if admin_user?
5 return false if service_key.in_suspended_org?
6 service_key.service_instance.space.has_developer?(context.user)
7 end
8
9 def delete?(service_key)
10 create?(service_key)
11 end
12
13 def read?(service_key)
14 return true if admin_user? || admin_read_only_user?
15 service_key.service_instance.space.has_developer?(context.user)
16 end
- app/access/space_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/space_access.rb#L3-L26
3 def create?(space, params=nil)
4 return true if admin_user?
5 return false if space.in_suspended_org?
6 space.organization.managers.include?(context.user)
7 end
8
9 def can_remove_related_object?(space, params)
10 return true if admin_user?
11 user_acting_on_themselves?(params) || super
12 end
13
14 def read_for_update?(space, params=nil)
15 return true if admin_user?
16 return false if space.in_suspended_org?
17 space.organization.managers.include?(context.user) || space.managers.include?(context.user)
18 end
19
20 def update?(space, params=nil)
21 read_for_update?(space, params)
22 end
23
24 def delete?(space)
25 create?(space)
26 end
- app/access/space_quota_definition_access.rb
https://github.com/cloudfoundry/cloud_controller_ng/blob/46323a013e29b8717ef17ce1a0245d29d14eb7c8/app/access/space_quota_definition_access.rb#L3-L19
2 class SpaceQuotaDefinitionAccess < BaseAccess
3 def create?(space_quota_definition, params=nil)
4 return true if admin_user?
5 return false if space_quota_definition.organization.suspended?
6 space_quota_definition.organization.managers.include?(context.user)
7 end
8
9 def read_for_update?(space_quota_definition, params=nil)
10 create?(space_quota_definition)
11 end
12
13 def update?(space_quota_definition, params=nil)
14 create?(space_quota_definition)
15 end
16
17 def delete?(space_quota_definition, params=nil)
18 create?(space_quota_definition)
19 end