From 07d151b8cbceda15551360af3383ff8401672c6f Mon Sep 17 00:00:00 2001 From: Chris Church Date: Tue, 25 Jun 2013 14:54:09 -0400 Subject: [PATCH] Add validation for permission serializer. --- awx/main/serializers.py | 15 +++++++++++++++ awx/main/tests/projects.py | 26 +++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/awx/main/serializers.py b/awx/main/serializers.py index 4308f52070..1366021c45 100644 --- a/awx/main/serializers.py +++ b/awx/main/serializers.py @@ -267,6 +267,21 @@ class PermissionSerializer(BaseSerializer): res['inventory'] = reverse('main:inventory_detail', args=(obj.inventory.pk,)) return res + def validate(self, attrs): + # Can only set either user or team. + if attrs['user'] and attrs['team']: + raise serializers.ValidationError('permission can only be assigned' + ' to a user OR a team, not both') + # Cannot assign admit/read/write permissions for a project. + if attrs['permission_type'] in ('admin', 'read', 'write') and attrs['project']: + raise serializers.ValidationError('project cannot be assigned for ' + 'inventory-only permissions') + # Project is required when setting deployment permissions. + if attrs['permission_type'] in ('run', 'check') and not attrs['project']: + raise serializers.ValidationError('project is required when ' + 'assigning deployment permissions') + return attrs + class CredentialSerializer(BaseSerializer): # FIXME: may want to make some of these filtered based on user accessing diff --git a/awx/main/tests/projects.py b/awx/main/tests/projects.py index 63c4255f78..ca34bddd05 100644 --- a/awx/main/tests/projects.py +++ b/awx/main/tests/projects.py @@ -510,7 +510,25 @@ class ProjectsTest(BaseTest): posted = self.post(url, user_permission, expect=201, auth=self.get_super_credentials()) url2 = posted['url'] got = self.get(url2, expect=200, auth=self.get_other_credentials()) - + + # cannot add permissions that apply to both team and user + url = reverse('main:user_permissions_list', args=(user.pk,)) + user_permission['name'] = 'user permission 2' + user_permission['team'] = team.pk + self.post(url, user_permission, expect=400, auth=self.get_super_credentials()) + + # cannot set admin/read/write permissions when a project is involved. + user_permission.pop('team') + user_permission['name'] = 'user permission 3' + user_permission['permission_type'] = PERM_INVENTORY_ADMIN + self.post(url, user_permission, expect=400, auth=self.get_super_credentials()) + + # project is required for a deployment permission + user_permission['name'] = 'user permission 4' + user_permission['permission_type'] = PERM_INVENTORY_DEPLOY + user_permission.pop('project') + self.post(url, user_permission, expect=400, auth=self.get_super_credentials()) + # can add permissions on a team url = reverse('main:team_permissions_list', args=(team.pk,)) posted = self.post(url, team_permission, expect=201, auth=self.get_super_credentials()) @@ -518,6 +536,12 @@ class ProjectsTest(BaseTest): # check we can get that permission back got = self.get(url2, expect=200, auth=self.get_other_credentials()) + # cannot add permissions that apply to both team and user + url = reverse('main:team_permissions_list', args=(team.pk,)) + team_permission['name'] += '2' + team_permission['user'] = user.pk + self.post(url, team_permission, expect=400, auth=self.get_super_credentials()) + # can list permissions on a user url = reverse('main:user_permissions_list', args=(user.pk,)) got = self.get(url, expect=200, auth=self.get_super_credentials())