From 43f386a6e3d0c141cd732b5ef5c2be8349f51f03 Mon Sep 17 00:00:00 2001
From: Jon Robertson <jonrober@stanford.edu>
Date: Tue, 9 Jun 2015 13:06:56 -0700
Subject: ACL.pm: Destroying a nested ACL will now fail

When destroying an ACL nested in other ACLs, we now fail with an
explanation rather than going through to remove all the places it's
nested.  That's more in line with how we handle trying to destroy ACLs
that own things.

Change-Id: I8bc0530e37c54369ec52d9b369f8fabe98def77a
---
 perl/lib/Wallet/ACL.pm | 23 ++++++++++++-----------
 perl/t/general/acl.t   | 14 +++++++++++---
 2 files changed, 23 insertions(+), 14 deletions(-)

(limited to 'perl')

diff --git a/perl/lib/Wallet/ACL.pm b/perl/lib/Wallet/ACL.pm
index 6d8005d..f875185 100644
--- a/perl/lib/Wallet/ACL.pm
+++ b/perl/lib/Wallet/ACL.pm
@@ -273,19 +273,20 @@ sub destroy {
             die "ACL in use by ".$entry->ob_type.":".$entry->ob_name;
         }
 
-        # Delete any entries (there may or may not be any).
-        my %search = (ae_id => $self->{id});
-        @entries = $self->{schema}->resultset('AclEntry')->search(\%search);
-        for my $entry (@entries) {
-            $entry->delete;
+        # Also make certain the ACL isn't being nested in another.
+        my %search = (ae_scheme     => 'nested',
+                      ae_identifier => $self->{name});
+        my %options = (join     => 'acls',
+                       prefetch => 'acls');
+        @entries = $self->{schema}->resultset('AclEntry')->search(\%search,
+                                                                  \%options);
+        if (@entries) {
+            my ($entry) = @entries;
+            die "ACL is nested in ACL ".$entry->acls->ac_name;
         }
 
-        # Find any references to this being used as a nested verifier and
-        # remove them.  This really breaks out of the normal flow, but it's
-        # hard to do otherwise.
-        %search = (ae_scheme     => 'nested',
-                   ae_identifier => $self->{name},
-                  );
+        # Delete any entries (there may or may not be any).
+        %search = (ae_id => $self->{id});
         @entries = $self->{schema}->resultset('AclEntry')->search(\%search);
         for my $entry (@entries) {
             $entry->delete;
diff --git a/perl/t/general/acl.t b/perl/t/general/acl.t
index aad4b6d..4de7493 100755
--- a/perl/t/general/acl.t
+++ b/perl/t/general/acl.t
@@ -12,7 +12,7 @@ use strict;
 use warnings;
 
 use POSIX qw(strftime);
-use Test::More tests => 113;
+use Test::More tests => 115;
 
 use Wallet::ACL;
 use Wallet::Admin;
@@ -223,10 +223,18 @@ EOO
 is ($acl->history, $history, 'History is correct');
 
 # Test destroy.
+$acl->destroy (@trace);
+is ($acl->error, 'cannot destroy ACL example: ACL is nested in ACL test-nesting',
+    'Destroying a nested ACL fails');
+if ($acl_nest->remove ('nested', 'example', @trace)) {
+    ok (1, ' and removing the nesting succeeds');
+} else {
+    is ($acl_nest->error, '', 'and removing the nesting succeeds');
+}
 if ($acl->destroy (@trace)) {
-    ok (1, 'Destroying the ACL works');
+    ok (1, ' and now destroying the ACL works');
 } else {
-    is ($acl->error, '', 'Destroying the ACL works');
+    is ($acl->error, '', ' and now destroying the ACL works');
 }
 $acl = eval { Wallet::ACL->new ('example', $schema) };
 ok (!defined ($acl), ' and now cannot be found');
-- 
cgit v1.2.3