From 0fda36116a6fe841b5b2f065b0c4a0bf4db41b90 Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Wed, 22 Jun 2016 13:58:14 -0400 Subject: [PATCH] Change org admin role access for inventory scripts Previously a super user was required to create and administer custom inventory scripts. Since these are tied to organizations this commit extends orgadmin admininstration abilities to custom scripts within their organization --- awx/main/access.py | 6 ++++++ awx/main/tests/functional/test_rbac_inventory.py | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/awx/main/access.py b/awx/main/access.py index 30ad1d4bcc..e96a9f3b97 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1506,6 +1506,12 @@ class CustomInventoryScriptAccess(BaseAccess): return self.model.objects.distinct().all() return self.model.accessible_objects(self.user, 'read_role').all() + @check_superuser + def can_add(self, data): + org_pk = get_pk_from_dict(data, 'organization') + org = get_object_or_400(Organization, pk=org_pk) + return self.user in org.admin_role + @check_superuser def can_admin(self, obj): return self.user in obj.admin_role diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py index cefb989e6f..843b530c62 100644 --- a/awx/main/tests/functional/test_rbac_inventory.py +++ b/awx/main/tests/functional/test_rbac_inventory.py @@ -12,6 +12,7 @@ from django.apps import apps @pytest.mark.django_db def test_custom_inv_script_access(organization, user): u = user('user', False) + ou = user('oadm', False) custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test') custom_inv.organization = organization @@ -21,6 +22,9 @@ def test_custom_inv_script_access(organization, user): organization.member_role.members.add(u) assert u in custom_inv.read_role + organization.admin_role.members.add(ou) + assert ou in custom_inv.admin_role + @pytest.mark.django_db def test_inventory_admin_user(inventory, permissions, user): u = user('admin', False)