Open d-w-moore opened 2 years ago
The following code is the reason why only rodsadmin users can use irule
to invoke rules in core.py.
https://github.com/irods/irods_rule_engine_plugin_python/blob/0a07fb97b582367afaa31d1981bd065ad32229d2/irods_rule_engine_plugin-python.cxx#L623-L626
If Boost.Python gives us a way to fetch all rules/functions inside of core.py, then we can use that to determine whether the rule text sent by the client should be executed.
The command:
should succeed if executed by a
rodsuser
. In this context, the command line argumentpython_rule
should be taken as the identifier of a python function (a rule) defined in the global namespace of /etc/irods/core.py. Currently this command only succeeds for arodsadmin
. Arodsuser
gets the errorSYS_NO_API_PRIV
.