allow rodsuser to run a rule string

irods / irods_rule_engine_plugin_python

BSD 3-Clause "New" or "Revised" License

10 stars 14 forks source link

allow rodsuser to run a rule string #105

Open d-w-moore opened 2 years ago

d-w-moore commented 2 years ago

The command:

irule -r irods_rule_engine_plugin-python-instance python_rule null  null

should succeed if executed by a rodsuser. In this context, the command line argument python_rule should be taken as the identifier of a python function (a rule) defined in the global namespace of /etc/irods/core.py. Currently this command only succeeds for a rodsadmin. A rodsuser gets the errorSYS_NO_API_PRIV.

korydraughn commented 1 year ago

The following code is the reason why only rodsadmin users can use irule to invoke rules in core.py. https://github.com/irods/irods_rule_engine_plugin_python/blob/0a07fb97b582367afaa31d1981bd065ad32229d2/irods_rule_engine_plugin-python.cxx#L623-L626

If Boost.Python gives us a way to fetch all rules/functions inside of core.py, then we can use that to determine whether the rule text sent by the client should be executed.