Merge pull request #2450 from wwitzel3/release_3.0.0

Fixing Team and Credential access issues
2026-01-11 10:00:01 -03:30 · 2016-06-16 16:36:03 -04:00 · 2016-06-16 16:36:03 -04:00 · 051d419b1f
commit 051d419b1f
parent b56c8f297d 58c8cc1703
4 changed files with 62 additions and 6 deletions
--- a/awx/main/migrations/0025_v300_update_rbac_parents.py
+++ b/awx/main/migrations/0025_v300_update_rbac_parents.py
@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import migrations
+import awx.main.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0024_v300_jobtemplate_allow_simul'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='credential',
+            name='use_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.admin_role', b'owner_role'], to='main.Role', null=b'True'),
+        ),
+        migrations.AlterField(
+            model_name='team',
+            name='member_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
+        ),
+        migrations.AlterField(
+            model_name='team',
+            name='read_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'),
+        ),
+    ]
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@ -104,9 +104,11 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
    admin_role = ImplicitRoleField(
        parent_role='organization.admin_role',
    )
-    member_role = ImplicitRoleField()
+    member_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
    read_role = ImplicitRoleField(
-        parent_role=['admin_role', 'organization.auditor_role', 'member_role'],
+        parent_role=['organization.auditor_role', 'member_role'],
    )

    def get_absolute_url(self):
--- a/awx/main/tests/functional/test_rbac_team.py
+++ b/awx/main/tests/functional/test_rbac_team.py
@ -90,3 +90,23 @@ def test_team_accessible_objects(team, user, project):
    team.member_role.members.add(u)
    assert len(Project.accessible_objects(u, 'read_role')) == 1

+@pytest.mark.django_db
+def test_team_admin_member_access(team, user, project):
+    u = user('team_admin', False)
+    team.member_role.children.add(project.use_role)
+    team.admin_role.members.add(u)
+
+    assert len(Project.accessible_objects(u, 'use_role')) == 1
+
+
+@pytest.mark.django_db
+def test_org_admin_team_access(organization, team, user, project):
+    u = user('team_admin', False)
+    organization.admin_role.members.add(u)
+
+    team.organization = organization
+    team.save()
+
+    team.member_role.children.add(project.use_role)
+
+    assert len(Project.accessible_objects(u, 'use_role')) == 1
--- a/awx/main/tests/functional/test_teams.py
+++ b/awx/main/tests/functional/test_teams.py
@ -3,8 +3,12 @@ import pytest

@pytest.mark.django_db()
 def test_admin_not_member(team):
-    "Test to ensure we don't add admin_role as a parent to team.member_role, as "
-    "this creates a cycle with organization administration, which we've decided "
-    "to remove support for"
+    """Test to ensure we don't add admin_role as a parent to team.member_role, as
+    this creates a cycle with organization administration, which we've decided
+    to remove support for

-    assert team.admin_role.is_ancestor_of(team.member_role) is False
+    (2016-06-16) I think this might have been resolved. I'm asserting
+    this to be true in the mean time.
+    """
+
+    assert team.admin_role.is_ancestor_of(team.member_role) is True