External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-26 13:25:02 -02:30
Code Issues Packages Projects Releases Wiki Activity

Raise meaningful error when permission denied to copy JT

Browse Source 
When a user doesn't have access to all the credentials of a job
template, they cannot copy the JT. However, currently we raise a
default `PermissionDenied`, which doesn't give the user insight
into what's wrong. So, this PR just adds a custom message indicating
that access to credentials is missing.

Signed-off-by: Vismay Golwala <vgolwala@redhat.com>
This commit is contained in:
Vismay Golwala
2019-05-02 13:17:46 -04:00
parent cf6a103207
commit 0154d80f19
3 changed files with 41 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
awx/api/generics.py
View File

@@ -959,8 +959,11 @@ class CopyAPIView(GenericAPIView):
create_kwargs = self._build_create_dict(obj) create_kwargs = self._build_create_dict(obj)
for key in create_kwargs: for key in create_kwargs:
create_kwargs[key] = getattr(create_kwargs[key], 'pk', None) or create_kwargs[key] create_kwargs[key] = getattr(create_kwargs[key], 'pk', None) or create_kwargs[key]
can_copy = request.user.can_access(self.model, 'add', create_kwargs) and \ try:
request.user.can_access(self.model, 'copy_related', obj) can_copy = request.user.can_access(self.model, 'add', create_kwargs) and \
request.user.can_access(self.model, 'copy_related', obj)
except PermissionDenied:
return Response({'can_copy': False})
return Response({'can_copy': can_copy}) return Response({'can_copy': can_copy})
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):

5
awx/main/access.py
View File

@@ -1507,7 +1507,10 @@ class JobTemplateAccess(NotificationAttachMixin, BaseAccess):
# obj.credentials.all() is accessible ONLY when object is saved (has valid id) # obj.credentials.all() is accessible ONLY when object is saved (has valid id)
credential_manager = getattr(obj, 'credentials', None) if getattr(obj, 'id', False) else Credential.objects.none() credential_manager = getattr(obj, 'credentials', None) if getattr(obj, 'id', False) else Credential.objects.none()
return reduce(lambda prev, cred: prev and self.user in cred.use_role, credential_manager.all(), True) user_can_copy = reduce(lambda prev, cred: prev and self.user in cred.use_role, credential_manager.all(), True)
if not user_can_copy:
raise PermissionDenied(_('Insufficient access to Job Template credentials.'))
return user_can_copy
def can_start(self, obj, validate_license=True): def can_start(self, obj, validate_license=True):
# Check license. # Check license.

45
awx/main/tests/functional/test_copy.py
View File

@@ -28,25 +28,44 @@ def test_job_template_copy(post, get, project, inventory, machine_credential, va
reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}), reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}),
admin, expect=200 admin, expect=200
).data['can_copy'] is True ).data['can_copy'] is True
post( assert post(
reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}), reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}),
{'name': 'new jt name'}, alice, expect=403 {'name': 'new jt name'}, alice, expect=403
) ).data['detail'] == 'Insufficient access to Job Template credentials.'
jt_copy_pk = post( jt_copy_pk = post(
reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}), reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}),
{'name': 'new jt name'}, admin, expect=201 {'name': 'new jt name'}, admin, expect=201
).data['id'] ).data['id']
jt_copy = type(job_template_with_survey_passwords).objects.get(pk=jt_copy_pk)
assert jt_copy.created_by == admin # give credential access to user 'alice'
assert jt_copy.name == 'new jt name' for c in (credential, machine_credential, vault_credential):
assert jt_copy.project == project c.use_role.members.add(alice)
assert jt_copy.inventory == inventory c.save()
assert jt_copy.playbook == job_template_with_survey_passwords.playbook assert get(
assert jt_copy.credentials.count() == 3 reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}),
assert credential in jt_copy.credentials.all() alice, expect=200
assert vault_credential in jt_copy.credentials.all() ).data['can_copy'] is True
assert machine_credential in jt_copy.credentials.all() jt_copy_pk_alice = post(
assert job_template_with_survey_passwords.survey_spec == jt_copy.survey_spec reverse('api:job_template_copy', kwargs={'pk': job_template_with_survey_passwords.pk}),
{'name': 'new jt name'}, alice, expect=201
).data['id']
jt_copy_admin = type(job_template_with_survey_passwords).objects.get(pk=jt_copy_pk)
jt_copy_alice = type(job_template_with_survey_passwords).objects.get(pk=jt_copy_pk_alice)
assert jt_copy_admin.created_by == admin
assert jt_copy_alice.created_by == alice
for jt_copy in (jt_copy_admin, jt_copy_alice):
assert jt_copy.name == 'new jt name'
assert jt_copy.project == project
assert jt_copy.inventory == inventory
assert jt_copy.playbook == job_template_with_survey_passwords.playbook
assert jt_copy.credentials.count() == 3
assert credential in jt_copy.credentials.all()
assert vault_credential in jt_copy.credentials.all()
assert machine_credential in jt_copy.credentials.all()
assert job_template_with_survey_passwords.survey_spec == jt_copy.survey_spec
@pytest.mark.django_db @pytest.mark.django_db