Extend test and fix to include the admin_role

2026-01-14 19:30:39 -03:30 · 2018-04-02 15:37:47 -04:00 · 2018-04-02 15:37:47 -04:00 · 067ead35ac
commit 067ead35ac
parent ea7a0b2f58
2 changed files with 7 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -2523,8 +2523,12 @@ class RoleAccess(BaseAccess):
            if not check_user_access(self.user, sub_obj_resource.__class__, 'read', sub_obj_resource):
                return False

-        if isinstance(obj.content_object, Organization) and obj.role_field == 'member_role':
-            if not UserAccess(self.user).can_admin(sub_obj, data):
+        # Being a user in the member_role or admin_role of an organization grants
+        # administrators of that Organization the ability to edit that user. To prevent
+        # unwanted escalations lets ensure that the Organization administartor has the abilty
+        # to admin the user being added to the role.
+        if isinstance(obj.content_object, Organization) and obj.role_field in ['member_role', 'admin_role']:
+            if not UserAccess(self.user).can_admin(sub_obj, None):
                return False

        if isinstance(obj.content_object, ResourceMixin) and \
--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@ -61,3 +61,4 @@ def test_org_user_role_attach(user, organization):

    access = RoleAccess(admin)
    assert not access.can_attach(organization.member_role, nonmember, 'members', None)
+    assert not access.can_attach(organization.admin_role, nonmember, 'members', None)