Analytics API: Permissions for System Auditor

awx/api/permissions.py

@@ -25,6 +25,7 @@ __all__ = [
     'UserPermission',
     'IsSystemAdminOrAuditor',
     'WorkflowApprovalPermission',
+    'AnalyticsPermission',
 ]
 
 
@@ -250,3 +251,16 @@ class IsSystemAdminOrAuditor(permissions.BasePermission):
 class WebhookKeyPermission(permissions.BasePermission):
     def has_object_permission(self, request, view, obj):
         return request.user.can_access(view.model, 'admin', obj, request.data)
+
+
+class AnalyticsPermission(permissions.BasePermission):
+    """
+    Allows GET/POST/OPTIONS to system admins and system auditors.
+    """
+
+    def has_permission(self, request, view):
+        if not (request.user and request.user.is_authenticated):
+            return False
+        if request.method in ["GET", "POST", "OPTIONS"]:
+            return request.user.is_superuser or request.user.is_system_auditor
+        return request.user.is_superuser

awx/api/views/analytics.py

@@ -7,10 +7,9 @@ from django.utils.translation import gettext_lazy as _
 from django.utils import translation
 
 from awx.api.generics import APIView, Response
-from awx.api.permissions import IsSystemAdminOrAuditor
+from awx.api.permissions import AnalyticsPermission
 from awx.api.versioning import reverse
 from awx.main.utils import get_awx_version
-from rest_framework.permissions import AllowAny
 from rest_framework import status
 
 from collections import OrderedDict
@@ -43,7 +42,7 @@ class GetNotAllowedMixin(object):
 
 
 class AnalyticsRootView(APIView):
-    permission_classes = (AllowAny,)
+    permission_classes = (AnalyticsPermission,)
     name = _('Automation Analytics')
     swagger_topic = 'Automation Analytics'
 
@@ -99,7 +98,7 @@ class AnalyticsGenericView(APIView):
         return Response(response.json(), status=response.status_code)
     """
 
-    permission_classes = (IsSystemAdminOrAuditor,)
+    permission_classes = (AnalyticsPermission,)
 
     @staticmethod
     def _request_headers(request):