External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-13 23:17:32 -02:30
Code Issues Packages Projects Releases Wiki Activity

Add more test checks for the alternate code path to the role checks

Browse Source
This commit is contained in:
Jeff Bradberry
2019-04-18 14:53:19 -04:00
parent 41b476544d
commit 0ba87c9729
1 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
awx/main/tests/functional/test_rbac_role.py
View File

@@ -17,24 +17,21 @@ def test_team_access_attach(rando, team, inventory):
# team has read_role for the inventory
team.member_role.children.add(inventory.read_role)
access = TeamAccess(rando)
team_access = TeamAccess(rando)
role_access = RoleAccess(rando)
data = {'id': inventory.admin_role.pk}
assert not access.can_attach(team, inventory.admin_role, 'member_role.children', data, False)
assert not team_access.can_attach(team, inventory.admin_role, 'member_role.children', data, False)
assert not role_access.can_attach(inventory.admin_role, team, 'member_role.parents', data, False)
@pytest.mark.django_db
def test_user_access_attach(rando, inventory):
inventory.read_role.members.add(rando)
access = UserAccess(rando)
user_access = UserAccess(rando)
role_access = RoleAccess(rando)
data = {'id': inventory.admin_role.pk}
assert not access.can_attach(rando, inventory.admin_role, 'roles', data, False)
@pytest.mark.django_db
def test_role_access_attach(rando, inventory):
inventory.read_role.members.add(rando)
access = RoleAccess(rando)
assert not access.can_attach(inventory.admin_role, rando, 'members', None)
assert not user_access.can_attach(rando, inventory.admin_role, 'roles', data, False)
assert not role_access.can_attach(inventory.admin_role, rando, 'members', data, False)
@pytest.mark.django_db
@@ -68,8 +65,11 @@ def test_org_user_role_attach(user, organization, inventory):
organization.admin_role.members.add(admin)
role_access = RoleAccess(admin)
org_access = OrganizationAccess(admin)
assert not role_access.can_attach(organization.member_role, nonmember, 'members', None)
assert not role_access.can_attach(organization.admin_role, nonmember, 'members', None)
assert not org_access.can_attach(organization, nonmember, 'member_role.members', None)
assert not org_access.can_attach(organization, nonmember, 'admin_role.members', None)
# Permissions when adding users/teams to org special-purpose roles
@@ -83,9 +83,15 @@ def test_user_org_object_roles(organization, org_admin, org_member):
assert RoleAccess(org_admin).can_attach(
organization.notification_admin_role, org_member, 'members', None
)
assert OrganizationAccess(org_admin).can_attach(
organization, org_member, 'notification_admin_role.members', None
)
assert not RoleAccess(org_member).can_attach(
organization.notification_admin_role, org_member, 'members', None
)
assert not OrganizationAccess(org_member).can_attach(
organization, org_member, 'notification_admin_role.members', None
)
@pytest.mark.django_db
@@ -120,8 +126,11 @@ def test_org_superuser_role_attach(admin_user, org_admin, organization):
organization.member_role.members.add(admin_user)
role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin)
assert not role_access.can_attach(organization.member_role, admin_user, 'members', None)
assert not role_access.can_attach(organization.admin_role, admin_user, 'members', None)
assert not org_access.can_attach(organization, admin_user, 'member_role.members', None)
assert not org_access.can_attach(organization, admin_user, 'admin_role.members', None)
user_access = UserAccess(org_admin)
assert not user_access.can_change(admin_user, {'last_name': 'Witzel'})
@@ -185,7 +194,9 @@ def test_orphaned_user_allowed(org_admin, rando, organization):
*orphaned means user is not a member of any organization
'''
role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin)
assert role_access.can_attach(organization.member_role, rando, 'members', None)
assert org_access.can_attach(organization, rando, 'member_role.members', None)
# Cannot edit the user directly without adding to org first
user_access = UserAccess(org_admin)
assert not user_access.can_change(rando, {'last_name': 'Witzel'})