Properly enable/disable project/user edit via setting.

For identity backends which don't support editing (LDAP, et. al.)
we already have a setting that turns off user editing, but it was
applied inconsistently. This patch applies it more thoroughly
and adds the same functionality for projects.

Fixes bug 1109019.

Change-Id: Ia1316de4ff76779b93edd1c1f364ede9aabb6fd0

openstack_dashboard/api/keystone.py

@@ -277,10 +277,13 @@ def get_user_ec2_credentials(request, user_id, access_token):
 
 
 def keystone_can_edit_user():
-    if hasattr(settings, "OPENSTACK_KEYSTONE_BACKEND"):
-        return settings.OPENSTACK_KEYSTONE_BACKEND['can_edit_user']
-    else:
-        return False
+    backend_settings = getattr(settings, "OPENSTACK_KEYSTONE_BACKEND", {})
+    return backend_settings.get('can_edit_user', True)
+
+
+def keystone_can_edit_project():
+    backend_settings = getattr(settings, "OPENSTACK_KEYSTONE_BACKEND", {})
+    return backend_settings.get('can_edit_project', True)
 
 
 def keystone_backend_name():

openstack_dashboard/dashboards/admin/projects/tables.py

@@ -40,6 +40,9 @@ class CreateProject(tables.LinkAction):
     url = "horizon:admin:projects:create"
     classes = ("btn-launch", "ajax-modal",)
 
+    def allowed(self, request, project):
+        return api.keystone.keystone_can_edit_project()
+
 
 class UpdateProject(tables.LinkAction):
     name = "update"
@@ -47,6 +50,9 @@ class UpdateProject(tables.LinkAction):
     url = "horizon:admin:projects:update"
     classes = ("ajax-modal", "btn-edit")
 
+    def allowed(self, request, project):
+        return api.keystone.keystone_can_edit_project()
+
 
 class ModifyQuotas(tables.LinkAction):
     name = "quotas"
@@ -65,6 +71,9 @@ class DeleteTenantsAction(tables.DeleteAction):
     data_type_singular = _("Project")
     data_type_plural = _("Projects")
 
+    def allowed(self, request, project):
+        return api.keystone.keystone_can_edit_project()
+
     def delete(self, request, obj_id):
         api.keystone.tenant_delete(request, obj_id)
 

openstack_dashboard/dashboards/admin/users/tables.py

@@ -22,9 +22,7 @@ class CreateUserLink(tables.LinkAction):
     classes = ("ajax-modal", "btn-create")
 
     def allowed(self, request, user):
-        if api.keystone.keystone_can_edit_user():
-            return True
-        return False
+        return api.keystone.keystone_can_edit_user()
 
 
 class EditUserLink(tables.LinkAction):
@@ -33,6 +31,9 @@ class EditUserLink(tables.LinkAction):
     url = "horizon:admin:users:update"
     classes = ("ajax-modal", "btn-edit")
 
+    def allowed(self, request, user):
+        return api.keystone.keystone_can_edit_user()
+
 
 class ToggleEnabled(tables.BatchAction):
     name = "enable"
@@ -43,6 +44,9 @@ class ToggleEnabled(tables.BatchAction):
     classes = ("btn-enable",)
 
     def allowed(self, request, user=None):
+        if not api.keystone.keystone_can_edit_user():
+            return False
+
         self.enabled = True
         if not user:
             return self.enabled

openstack_dashboard/local/local_settings.py.example

@@ -87,7 +87,8 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"
 # TODO(tres): Remove these once Keystone has an API to identify auth backend.
 OPENSTACK_KEYSTONE_BACKEND = {
     'name': 'native',
-    'can_edit_user': True
+    'can_edit_user': True,
+    'can_edit_project': True
 }
 
 OPENSTACK_HYPERVISOR_FEATURES = {

openstack_dashboard/test/settings.py

@@ -65,7 +65,8 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"
 
 OPENSTACK_KEYSTONE_BACKEND = {
     'name': 'native',
-    'can_edit_user': True
+    'can_edit_user': True,
+    'can_edit_project': True
 }
 
 OPENSTACK_HYPERVISOR_FEATURES = {