External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-13 11:00:03 -03:30
Code Issues Packages Projects Releases Wiki Activity

Show organizations based on more granular RBAC roles

Browse Source
This commit is contained in:
Marliana Lara 2018-03-13 16:53:00 -04:00
parent e58038b056
commit 01d35ea9c0
No known key found for this signature in database
GPG Key ID: 38C73B40DFA809EE
10 changed files with 67 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
awx/ui/client/features/credentials/edit-credentials.controller.js
View File

@ -43,10 +43,11 @@ function EditCredentialsController (models, $state, $scope, strings, componentsS
}
const isOrgAdmin = _.some(me.get('related.admin_of_organizations.results'), (org) => org.id === organization.get('id'));
const isOrgCredentialAdmin = organization.search({ role_level: 'credential_admin_role' }).then((data) => data);
const isSuperuser = me.get('is_superuser');
const isCurrentAuthor = Boolean(credential.get('summary_fields.created_by.id') === me.get('id'));
vm.form.organization._disabled = true;
if (isSuperuser || isOrgAdmin || (credential.get('organization') === null && isCurrentAuthor)) {
if (isSuperuser || isOrgAdmin || isOrgCredentialAdmin || (credential.get('organization') === null && isCurrentAuthor)) {
vm.form.organization._disabled = false;
}

2
awx/ui/client/features/credentials/legacy.credentials.js
View File

@ -238,7 +238,7 @@ function LegacyCredentialsService () {
value: {
page_size: 5,
order_by: 'name',
role_level: 'admin_role'
role_level: 'credential_admin_role'
},
dynamic: true,
squash: ''

8
awx/ui/client/src/inventories-hosts/inventories/standard-inventory/edit/inventory-edit.controller.js
View File

@ -47,10 +47,10 @@ function InventoriesEdit($scope, $location,
field_id: 'inventory_inventory_variables'
});
OrgAdminLookup.checkForAdminAccess({organization: inventoryData.organization})
.then(function(canEditOrg){
$scope.canEditOrg = canEditOrg;
});
OrgAdminLookup.checkForRoleLevelAdminAccess(inventoryData.organization, 'inventory_admin_role')
.then(function(canEditOrg){
$scope.canEditOrg = canEditOrg;
});
$scope.inventory_obj = inventoryData;
$scope.inventory_name = inventoryData.name;

1
awx/ui/client/src/notifications/notifications.list.js
View File

@ -20,6 +20,7 @@ export default ['i18n', 'templateUrl', function(i18n, templateUrl){
hover: false,
emptyListText: i18n.sprintf(i18n._("This list is populated by notification templates added from the %sNotifications%s section"), "&nbsp;<a ui-sref='notifications.add'>", "</a>&nbsp;"),
basePath: 'notification_templates',
ngIf: 'current_user.is_superuser || isOrgAdmin',
fields: {
name: {
key: true,

9
awx/ui/client/src/organizations/edit/organizations-edit.controller.js
View File

@ -4,10 +4,10 @@
* All Rights Reserved
*************************************************/
export default ['$scope', '$location', '$stateParams',
export default ['$scope', '$location', '$stateParams', 'OrgAdminLookup',
'OrganizationForm', 'Rest', 'ProcessErrors', 'Prompt',
'GetBasePath', 'Wait', '$state', 'ToggleNotification', 'CreateSelect2', 'InstanceGroupsService', 'InstanceGroupsData', 'ConfigData',
function($scope, $location, $stateParams,
function($scope, $location, $stateParams, OrgAdminLookup,
OrganizationForm, Rest, ProcessErrors, Prompt,
GetBasePath, Wait, $state, ToggleNotification, CreateSelect2, InstanceGroupsService, InstanceGroupsData, ConfigData) {
@ -21,6 +21,11 @@ export default ['$scope', '$location', '$stateParams',
init();
function init() {
OrgAdminLookup.checkForAdminAccess({organization: id})
.then(function(isOrgAdmin){
$scope.isOrgAdmin = isOrgAdmin;
});
$scope.$watch('organization_obj.summary_fields.user_capabilities.edit', function(val) {
if (val === false) {
$scope.canAdd = false;

2
awx/ui/client/src/projects/edit/projects-edit.controller.js
View File

@ -143,7 +143,7 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest',
$scope.scm_type_class = "btn-disabled";
}
OrgAdminLookup.checkForAdminAccess({organization: data.organization})
OrgAdminLookup.checkForRoleLevelAdminAccess(data.organization, 'project_admin_role')
.then(function(canEditOrg){
$scope.canEditOrg = canEditOrg;
});

12
awx/ui/client/src/shared/directives.js
View File

@ -501,7 +501,7 @@ function(ConfigurationUtils, i18n, $rootScope) {
}])
// lookup Validate lookup value against API
.directive('awlookup', ['Rest', 'GetBasePath', '$q', function(Rest, GetBasePath, $q) {
.directive('awlookup', ['Rest', 'GetBasePath', '$q', '$state', function(Rest, GetBasePath, $q, $state) {
return {
require: 'ngModel',
link: function(scope, elm, attrs, fieldCtrl) {
@ -668,7 +668,15 @@ function(ConfigurationUtils, i18n, $rootScope) {
query += '&cloud=true&role_level=use_role';
break;
case 'organization':
query += '&role_level=admin_role';
if ($state.current.name.includes('inventories')) {
query += '&role_level=inventory_admin_role';
} else if ($state.current.name.includes('templates.editWorkflowJobTemplate')) {
query += '&role_level=workflow_admin_role';
} else if ($state.current.name.includes('projects')) {
query += '&role_level=project_admin_role';
} else {
query += '&role_level=admin_role';
}
break;
case 'inventory_script':
query += '&role_level=admin_role&organization=' + scope.$resolve.inventoryData.summary_fields.organization.id;

36
awx/ui/client/src/shared/org-admin-lookup/org-admin-lookup.factory.js
View File

@ -5,8 +5,8 @@
*************************************************/
export default
['Rest', 'Authorization', 'GetBasePath', '$rootScope', '$q',
function(Rest, Authorization, GetBasePath, $rootScope, $q){
['Rest', 'Authorization', 'GetBasePath', 'ProcessErrors', '$rootScope', '$q',
function(Rest, Authorization, GetBasePath, ProcessErrors, $rootScope, $q){
return {
checkForAdminAccess: function(params) {
// params.organization - id of the organization in question
@ -28,8 +28,38 @@ export default
}
return deferred.promise;
}
},
checkForRoleLevelAdminAccess: function(organization_id, role_level) {
let deferred = $q.defer();
let params = {
role_level,
id: organization_id
};
if(Authorization.getUserInfo('is_superuser') !== true) {
Rest.setUrl(GetBasePath('organizations'));
Rest.get({ params: params })
.then(({data}) => {
if(data.count && data.count > 0) {
deferred.resolve(true);
}
else {
deferred.resolve(false);
}
})
.catch(({data, status}) => {
ProcessErrors(null, data, status, null, {
hdr: 'Error!',
msg: 'Failed to get organization data based on role_level. Return status: ' + status
});
});
}
else {
deferred.resolve(true);
}
return deferred.promise;
}
};
}
];

8
awx/ui/client/src/shared/stateDefinitions.factory.js
View File

@ -848,7 +848,13 @@ function($injector, $stateExtender, $log, i18n) {
// Need to change the role_level here b/c organizations and inventory scripts
// don't have a "use_role", only "admin_role" and "read_role"
if(list.iterator === "organization"){
$stateParams[`${list.iterator}_search`].role_level = "admin_role";
if ($state.current.name.includes('inventories')) {
$stateParams[`${list.iterator}_search`].role_level = "inventory_admin_role";
} else if ($state.current.name.includes('projects')) {
$stateParams[`${list.iterator}_search`].role_level = "project_admin_role";
} else if ($state.current.name.includes('templates.addWorkflowJobTemplate') || $state.current.name.includes('templates.editWorkflowJobTemplate')) {
$stateParams[`${list.iterator}_search`].role_level = "workflow_admin_role";
}
}
if(list.iterator === "inventory_script"){
$stateParams[`${list.iterator}_search`].role_level = "admin_role";

2
awx/ui/client/src/templates/workflows/edit-workflow/workflow-edit.controller.js
View File

@ -99,7 +99,7 @@ export default [
}
if(workflowJobTemplateData.organization) {
OrgAdminLookup.checkForAdminAccess({organization: workflowJobTemplateData.organization})
OrgAdminLookup.checkForRoleLevelAdminAccess(workflowJobTemplateData.organization, 'workflow_admin_role')
.then(function(canEditOrg){
$scope.canEditOrg = canEditOrg;
});