do not allow membership changes to User.admin_role

2026-01-13 02:50:02 -03:30 · 2016-07-28 19:26:30 -04:00 · 2016-07-28 19:26:30 -04:00 · 06bb8871d7
commit 06bb8871d7
parent a078254508
2 changed files with 16 additions and 1 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1208,7 +1208,12 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

        if sub_id == self.request.user.admin_role.pk:
-            raise PermissionDenied('You may not remove your own admin_role.')
+            raise PermissionDenied('You may not perform any action with your own admin_role.')
+
+        role = get_object_or_404(Role, pk=sub_id)
+        user_content_type = ContentType.objects.get_for_model(User)
+        if role.content_type == user_content_type:
+            raise PermissionDenied('You may not change the membership of a users admin_role')

        return super(UserRolesList, self).post(request, *args, **kwargs)

--- a/awx/main/tests/functional/api/test_user.py
+++ b/awx/main/tests/functional/api/test_user.py
@ -66,3 +66,13 @@ def test_create_delete_create_user(post, delete, admin):
    }, admin)
    print(response.data)
    assert response.status_code == 201
+
+@pytest.mark.django_db
+def test_add_user_admin_role_member(post, user):
+    admin = user('admin', is_superuser=True)
+    normal = user('normal')
+
+    url = reverse('api:user_roles_list', args=(admin.pk,))
+    response = post(url, {'id':normal.admin_role.pk}, admin)
+    assert response.status_code == 403
+    assert 'not change membership' in response.rendered_content