diff --git a/awx/api/serializers.py b/awx/api/serializers.py index 5f0f3010b3..b170be20f4 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -1829,6 +1829,7 @@ class ResourceAccessListElementSerializer(UserSerializer): class CredentialTypeSerializer(BaseSerializer): show_capabilities = ['edit', 'delete'] + managed_by_tower = serializers.ReadOnlyField() class Meta: model = CredentialType @@ -1836,6 +1837,9 @@ class CredentialTypeSerializer(BaseSerializer): 'injectors') def validate(self, attrs): + if self.instance and self.instance.managed_by_tower: + raise serializers.ValidationError( + {"detail": _("Modifications not allowed for credential types managed by Tower")}) fields = attrs.get('inputs', {}).get('fields', []) for field in fields: if field.get('ask_at_runtime', False): diff --git a/awx/main/access.py b/awx/main/access.py index 0fe1518c86..7a55d51db9 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -821,14 +821,10 @@ class CredentialTypeAccess(BaseAccess): def can_use(self, obj): return True - def can_add(self, data): - return self.user.is_superuser - - def can_change(self, obj, data): - return self.user.is_superuser and not obj.managed_by_tower - - def can_delete(self, obj): - return self.user.is_superuser and not obj.managed_by_tower + def get_method_capability(self, method, obj, parent_obj): + if obj.managed_by_tower: + return False + return super(CredentialTypeAccess, self).get_method_capability(method, obj, parent_obj) class CredentialAccess(BaseAccess): @@ -2138,7 +2134,7 @@ class ActivityStreamAccess(BaseAccess): ''' qs = self.model.objects.all() qs = qs.prefetch_related('organization', 'user', 'inventory', 'host', 'group', 'inventory_source', - 'inventory_update', 'credential', 'team', 'project', 'project_update', + 'inventory_update', 'credential', 'credential_type', 'team', 'project', 'project_update', 'job_template', 'job', 'ad_hoc_command', 'notification_template', 'notification', 'label', 'role', 'actor', 'schedule', 'custom_inventory_script', 'unified_job_template',