Merge pull request #2450 from wwitzel3/release_3.0.0

Fixing Team and Credential access issues
2026-04-06 18:49:21 -02:30 · 2016-06-16 16:36:03 -04:00
parent b56c8f297d 58c8cc1703
commit 051d419b1f
4 changed files with 62 additions and 6 deletions
--- a/awx/main/migrations/0025_v300_update_rbac_parents.py
+++ b/awx/main/migrations/0025_v300_update_rbac_parents.py
@@ -0,0 +1,30 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 from django.db import migrations
 import awx.main.fields
 class Migration(migrations.Migration):
    dependencies = [
        ('main', '0024_v300_jobtemplate_allow_simul'),
    ]
    operations = [
        migrations.AlterField(
            model_name='credential',
            name='use_role',
            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.admin_role', b'owner_role'], to='main.Role', null=b'True'),
        ),
        migrations.AlterField(
            model_name='team',
            name='member_role',
            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
        ),
        migrations.AlterField(
            model_name='team',
            name='read_role',
            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'),
        ),
    ]
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -104,9 +104,11 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
    admin_role = ImplicitRoleField(
        parent_role='organization.admin_role',
    )
-    member_role = ImplicitRoleField()
+    member_role = ImplicitRoleField(
        parent_role='admin_role',
    )
    read_role = ImplicitRoleField(
-        parent_role=['admin_role', 'organization.auditor_role', 'member_role'],
+        parent_role=['organization.auditor_role', 'member_role'],
    )
    def get_absolute_url(self):
--- a/awx/main/tests/functional/test_rbac_team.py
+++ b/awx/main/tests/functional/test_rbac_team.py
@@ -90,3 +90,23 @@ def test_team_accessible_objects(team, user, project):
    team.member_role.members.add(u)
    assert len(Project.accessible_objects(u, 'read_role')) == 1
@pytest.mark.django_db
 def test_team_admin_member_access(team, user, project):
    u = user('team_admin', False)
    team.member_role.children.add(project.use_role)
    team.admin_role.members.add(u)
    assert len(Project.accessible_objects(u, 'use_role')) == 1
@pytest.mark.django_db
 def test_org_admin_team_access(organization, team, user, project):
    u = user('team_admin', False)
    organization.admin_role.members.add(u)
    team.organization = organization
    team.save()
    team.member_role.children.add(project.use_role)
    assert len(Project.accessible_objects(u, 'use_role')) == 1
--- a/awx/main/tests/functional/test_teams.py
+++ b/awx/main/tests/functional/test_teams.py
@@ -3,8 +3,12 @@ import pytest
@pytest.mark.django_db()
 def test_admin_not_member(team):
-    "Test to ensure we don't add admin_role as a parent to team.member_role, as "
+    """Test to ensure we don't add admin_role as a parent to team.member_role, as
-    "this creates a cycle with organization administration, which we've decided "
+    this creates a cycle with organization administration, which we've decided
-    "to remove support for"
+    to remove support for
-    assert team.admin_role.is_ancestor_of(team.member_role) is False
+    (2016-06-16) I think this might have been resolved. I'm asserting
    this to be true in the mean time.
    """
    assert team.admin_role.is_ancestor_of(team.member_role) is True