# HG changeset patch
# User Rok Strnisa <rok.strnisa@xxxxxxxxxx>
# Date 1282839530 -3600
# Node ID deea41560521ebeb1c5cc8822ea6a4ec5235824a
# Parent  2743e64a67a66216bd3d4fdfed6c5d0c31fb901c
Provides the user with a friendlier message when they are denied access.

The message now includes which roles *do* have the required permission.

Signed-off-by: Rok Strnisa <rok.strnisa@xxxxxxxxxx>

diff --git a/ocaml/idl/ocaml_backend/OMakefile b/ocaml/idl/ocaml_backend/OMakefile
--- a/ocaml/idl/ocaml_backend/OMakefile
+++ b/ocaml/idl/ocaml_backend/OMakefile
@@ -98,6 +98,8 @@ SERVER_OBJS = ../../database/escaping lo
 	../../xapi/xapi_inventory \
 	../../xapi/hashtbl_xml \
 	../../xapi/localdb \
+	../../xapi/xapi_role \
+	../../xapi/db \
 	rbac \
 	rbac_audit \
 	../../autogen/rbac_static \
diff --git a/ocaml/idl/ocaml_backend/rbac.ml b/ocaml/idl/ocaml_backend/rbac.ml
--- a/ocaml/idl/ocaml_backend/rbac.ml
+++ b/ocaml/idl/ocaml_backend/rbac.ml
@@ -11,6 +11,9 @@
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Lesser General Public License for more details.
  *)
+
+open Listext
+
 module D = Debug.Debugger(struct let name="rbac" end)
 open D
 
@@ -216,7 +219,7 @@ let nofn = fun () -> ()
 let check ?(extra_dmsg="") ?(extra_msg="") ?args ?(keys=[]) ~__context ~fn session_id action =
 
 	let permission = permission_of_action action ?args ~keys in
-	
+
 	if (is_access_allowed ~__context ~session_id ~permission)
 	then (* allow access to action *)
 	begin
@@ -231,18 +234,28 @@ let check ?(extra_dmsg="") ?(extra_msg="
 			result
 		with error-> (* catch all exceptions *)
 			begin
-				Rbac_audit.allowed_post_fn_error ~__context ~session_id ~action 
+				Rbac_audit.allowed_post_fn_error ~__context ~session_id ~action
 					~permission ?sexpr_of_args ?args ~error ();
 				raise error
 			end
 	end
-	else (* deny access to action *)
-	begin
-		let msg=(Printf.sprintf "No permission in user session%s" extra_msg) in
+	else begin (* deny access to action *)
+		let allowed_roles_string =
+			try
+				let allowed_roles = Xapi_role.get_by_permission_name_label ~__context ~label:permission in
+				List.fold_left
+					(fun acc allowed_role -> acc ^ (if acc = "" then "" else ", ") ^
+						 (Xapi_role.get_name_label ~__context ~self:allowed_role))
+					"" allowed_roles
+			with e -> debug "Could not obtain allowed roles for %s (%s)" permission (ExnHelper.string_of_exn e);
+				"<Could not obtain the list.>"
+		in
+		let msg = (Printf.sprintf "No permission in user session. (Roles with this permission: %s)%s"
+								 allowed_roles_string extra_msg) in
 		debug "%s[%s]: %s %s %s" action permission msg (trackid session_id) extra_dmsg;
-		Rbac_audit.denied ~__context ~session_id ~action ~permission 
+		Rbac_audit.denied ~__context ~session_id ~action ~permission
 			?args ();
-		raise (Api_errors.Server_error 
+		raise (Api_errors.Server_error
 			(Api_errors.rbac_permission_denied,[permission;msg]))
 	end
 
diff --git a/ocaml/xapi/OMakefile b/ocaml/xapi/OMakefile
--- a/ocaml/xapi/OMakefile
+++ b/ocaml/xapi/OMakefile
@@ -38,7 +38,6 @@ OCamlProgram(show_bat, show_bat)
 COMMON = \
 	xapi_templates \
 	../idl/api_lowlevel \
-	db \
 	nm \
 	xapi_mgmt_iface \
 	smint \
@@ -108,7 +107,6 @@ XAPI_MODULES = $(COMMON) \
 	../auth/extauth_plugin_ADlikewise \
 	../auth/parse_likewise \
 	xapi_subject \
-	xapi_role \
 	audit_log \
 	xapi_vmpp \
 	xapi_vm_lifecycle \