External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-29 06:45:09 -02:30
Code Issues Packages Projects Releases Wiki Activity

Show organizations based on more granular RBAC roles

Browse Source
This commit is contained in:
Marliana Lara
2018-03-13 16:53:00 -04:00
parent e58038b056
commit 01d35ea9c0
10 changed files with 67 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
awx/ui/client/features/credentials/edit-credentials.controller.js
View File

@@ -43,10 +43,11 @@ function EditCredentialsController (models, $state, $scope, strings, componentsS
} }
const isOrgAdmin = _.some(me.get('related.admin_of_organizations.results'), (org) => org.id === organization.get('id')); const isOrgAdmin = _.some(me.get('related.admin_of_organizations.results'), (org) => org.id === organization.get('id'));
const isOrgCredentialAdmin = organization.search({ role_level: 'credential_admin_role' }).then((data) => data);
const isSuperuser = me.get('is_superuser'); const isSuperuser = me.get('is_superuser');
const isCurrentAuthor = Boolean(credential.get('summary_fields.created_by.id') === me.get('id')); const isCurrentAuthor = Boolean(credential.get('summary_fields.created_by.id') === me.get('id'));
vm.form.organization._disabled = true; vm.form.organization._disabled = true;
if (isSuperuser || isOrgAdmin || (credential.get('organization') === null && isCurrentAuthor)) { if (isSuperuser || isOrgAdmin || isOrgCredentialAdmin || (credential.get('organization') === null && isCurrentAuthor)) {
vm.form.organization._disabled = false; vm.form.organization._disabled = false;
} }

2
awx/ui/client/features/credentials/legacy.credentials.js
View File

@@ -238,7 +238,7 @@ function LegacyCredentialsService () {
value: { value: {
page_size: 5, page_size: 5,
order_by: 'name', order_by: 'name',
role_level: 'admin_role' role_level: 'credential_admin_role'
}, },
dynamic: true, dynamic: true,
squash: '' squash: ''

8
awx/ui/client/src/inventories-hosts/inventories/standard-inventory/edit/inventory-edit.controller.js
View File

@@ -47,10 +47,10 @@ function InventoriesEdit($scope, $location,
field_id: 'inventory_inventory_variables' field_id: 'inventory_inventory_variables'
}); });
OrgAdminLookup.checkForAdminAccess({organization: inventoryData.organization}) OrgAdminLookup.checkForRoleLevelAdminAccess(inventoryData.organization, 'inventory_admin_role')
.then(function(canEditOrg){ .then(function(canEditOrg){
$scope.canEditOrg = canEditOrg; $scope.canEditOrg = canEditOrg;
}); });
$scope.inventory_obj = inventoryData; $scope.inventory_obj = inventoryData;
$scope.inventory_name = inventoryData.name; $scope.inventory_name = inventoryData.name;

1
awx/ui/client/src/notifications/notifications.list.js
View File

@@ -20,6 +20,7 @@ export default ['i18n', 'templateUrl', function(i18n, templateUrl){
hover: false, hover: false,
emptyListText: i18n.sprintf(i18n._("This list is populated by notification templates added from the %sNotifications%s section"), "&nbsp;<a ui-sref='notifications.add'>", "</a>&nbsp;"), emptyListText: i18n.sprintf(i18n._("This list is populated by notification templates added from the %sNotifications%s section"), "&nbsp;<a ui-sref='notifications.add'>", "</a>&nbsp;"),
basePath: 'notification_templates', basePath: 'notification_templates',
ngIf: 'current_user.is_superuser || isOrgAdmin',
fields: { fields: {
name: { name: {
key: true, key: true,

9
awx/ui/client/src/organizations/edit/organizations-edit.controller.js
View File

@@ -4,10 +4,10 @@
* All Rights Reserved * All Rights Reserved
*************************************************/ *************************************************/
export default ['$scope', '$location', '$stateParams', export default ['$scope', '$location', '$stateParams', 'OrgAdminLookup',
'OrganizationForm', 'Rest', 'ProcessErrors', 'Prompt', 'OrganizationForm', 'Rest', 'ProcessErrors', 'Prompt',
'GetBasePath', 'Wait', '$state', 'ToggleNotification', 'CreateSelect2', 'InstanceGroupsService', 'InstanceGroupsData', 'ConfigData', 'GetBasePath', 'Wait', '$state', 'ToggleNotification', 'CreateSelect2', 'InstanceGroupsService', 'InstanceGroupsData', 'ConfigData',
function($scope, $location, $stateParams, function($scope, $location, $stateParams, OrgAdminLookup,
OrganizationForm, Rest, ProcessErrors, Prompt, OrganizationForm, Rest, ProcessErrors, Prompt,
GetBasePath, Wait, $state, ToggleNotification, CreateSelect2, InstanceGroupsService, InstanceGroupsData, ConfigData) { GetBasePath, Wait, $state, ToggleNotification, CreateSelect2, InstanceGroupsService, InstanceGroupsData, ConfigData) {
@@ -21,6 +21,11 @@ export default ['$scope', '$location', '$stateParams',
init(); init();
function init() { function init() {
OrgAdminLookup.checkForAdminAccess({organization: id})
.then(function(isOrgAdmin){
$scope.isOrgAdmin = isOrgAdmin;
});
$scope.$watch('organization_obj.summary_fields.user_capabilities.edit', function(val) { $scope.$watch('organization_obj.summary_fields.user_capabilities.edit', function(val) {
if (val === false) { if (val === false) {
$scope.canAdd = false; $scope.canAdd = false;

2
awx/ui/client/src/projects/edit/projects-edit.controller.js
View File

@@ -143,7 +143,7 @@ export default ['$scope', '$rootScope', '$stateParams', 'ProjectsForm', 'Rest',
$scope.scm_type_class = "btn-disabled"; $scope.scm_type_class = "btn-disabled";
} }
OrgAdminLookup.checkForAdminAccess({organization: data.organization}) OrgAdminLookup.checkForRoleLevelAdminAccess(data.organization, 'project_admin_role')
.then(function(canEditOrg){ .then(function(canEditOrg){
$scope.canEditOrg = canEditOrg; $scope.canEditOrg = canEditOrg;
}); });

12
awx/ui/client/src/shared/directives.js
View File

@@ -501,7 +501,7 @@ function(ConfigurationUtils, i18n, $rootScope) {
}]) }])
// lookup Validate lookup value against API // lookup Validate lookup value against API
.directive('awlookup', ['Rest', 'GetBasePath', '$q', function(Rest, GetBasePath, $q) { .directive('awlookup', ['Rest', 'GetBasePath', '$q', '$state', function(Rest, GetBasePath, $q, $state) {
return { return {
require: 'ngModel', require: 'ngModel',
link: function(scope, elm, attrs, fieldCtrl) { link: function(scope, elm, attrs, fieldCtrl) {
@@ -668,7 +668,15 @@ function(ConfigurationUtils, i18n, $rootScope) {
query += '&cloud=true&role_level=use_role'; query += '&cloud=true&role_level=use_role';
break; break;
case 'organization': case 'organization':
query += '&role_level=admin_role'; if ($state.current.name.includes('inventories')) {
query += '&role_level=inventory_admin_role';
} else if ($state.current.name.includes('templates.editWorkflowJobTemplate')) {
query += '&role_level=workflow_admin_role';
} else if ($state.current.name.includes('projects')) {
query += '&role_level=project_admin_role';
} else {
query += '&role_level=admin_role';
}
break; break;
case 'inventory_script': case 'inventory_script':
query += '&role_level=admin_role&organization=' + scope.$resolve.inventoryData.summary_fields.organization.id; query += '&role_level=admin_role&organization=' + scope.$resolve.inventoryData.summary_fields.organization.id;

36
awx/ui/client/src/shared/org-admin-lookup/org-admin-lookup.factory.js
View File

@@ -5,8 +5,8 @@
*************************************************/ *************************************************/
export default export default
['Rest', 'Authorization', 'GetBasePath', '$rootScope', '$q', ['Rest', 'Authorization', 'GetBasePath', 'ProcessErrors', '$rootScope', '$q',
function(Rest, Authorization, GetBasePath, $rootScope, $q){ function(Rest, Authorization, GetBasePath, ProcessErrors, $rootScope, $q){
return { return {
checkForAdminAccess: function(params) { checkForAdminAccess: function(params) {
// params.organization - id of the organization in question // params.organization - id of the organization in question
@@ -28,8 +28,38 @@ export default
} }
return deferred.promise; return deferred.promise;
} },
checkForRoleLevelAdminAccess: function(organization_id, role_level) {
let deferred = $q.defer();
let params = {
role_level,
id: organization_id
};
if(Authorization.getUserInfo('is_superuser') !== true) {
Rest.setUrl(GetBasePath('organizations'));
Rest.get({ params: params })
.then(({data}) => {
if(data.count && data.count > 0) {
deferred.resolve(true);
}
else {
deferred.resolve(false);
}
})
.catch(({data, status}) => {
ProcessErrors(null, data, status, null, {
hdr: 'Error!',
msg: 'Failed to get organization data based on role_level. Return status: ' + status
});
});
}
else {
deferred.resolve(true);
}
return deferred.promise;
}
}; };
} }
]; ];

8
awx/ui/client/src/shared/stateDefinitions.factory.js
View File

@@ -848,7 +848,13 @@ function($injector, $stateExtender, $log, i18n) {
// Need to change the role_level here b/c organizations and inventory scripts // Need to change the role_level here b/c organizations and inventory scripts
// don't have a "use_role", only "admin_role" and "read_role" // don't have a "use_role", only "admin_role" and "read_role"
if(list.iterator === "organization"){ if(list.iterator === "organization"){
$stateParams[`${list.iterator}_search`].role_level = "admin_role"; if ($state.current.name.includes('inventories')) {
$stateParams[`${list.iterator}_search`].role_level = "inventory_admin_role";
} else if ($state.current.name.includes('projects')) {
$stateParams[`${list.iterator}_search`].role_level = "project_admin_role";
} else if ($state.current.name.includes('templates.addWorkflowJobTemplate') || $state.current.name.includes('templates.editWorkflowJobTemplate')) {
$stateParams[`${list.iterator}_search`].role_level = "workflow_admin_role";
}
} }
if(list.iterator === "inventory_script"){ if(list.iterator === "inventory_script"){
$stateParams[`${list.iterator}_search`].role_level = "admin_role"; $stateParams[`${list.iterator}_search`].role_level = "admin_role";

2
awx/ui/client/src/templates/workflows/edit-workflow/workflow-edit.controller.js
View File

@@ -99,7 +99,7 @@ export default [
} }
if(workflowJobTemplateData.organization) { if(workflowJobTemplateData.organization) {
OrgAdminLookup.checkForAdminAccess({organization: workflowJobTemplateData.organization}) OrgAdminLookup.checkForRoleLevelAdminAccess(workflowJobTemplateData.organization, 'workflow_admin_role')
.then(function(canEditOrg){ .then(function(canEditOrg){
$scope.canEditOrg = canEditOrg; $scope.canEditOrg = canEditOrg;
}); });