External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-13 15:09:32 -02:30
Code Issues Packages Projects Releases Wiki Activity

Switch to explicit checks for system auditor for all applicable get_queryset calls

Browse Source 
Solves #2918 and probably a couple other corner cases where orphan
situations could happen
This commit is contained in:
Akita Noek
2016-07-11 14:06:40 -04:00
parent 53b705f1bb
commit 134b60dbed
1 changed files with 17 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
awx/main/access.py
View File

@@ -139,7 +139,7 @@ class BaseAccess(object):
self.user = user self.user = user
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all() return self.model.objects.all()
else: else:
return self.model.objects.none() return self.model.objects.none()
@@ -221,7 +221,7 @@ class UserAccess(BaseAccess):
model = User model = User
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return User.objects.all() return User.objects.all()
if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \ if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \
@@ -718,7 +718,7 @@ class ProjectAccess(BaseAccess):
model = Project model = Project
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all() return self.model.objects.all()
qs = self.model.accessible_objects(self.user, 'read_role') qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('modified_by', 'credential', 'current_job', 'last_job').all() return qs.select_related('modified_by', 'credential', 'current_job', 'last_job').all()
@@ -752,7 +752,7 @@ class ProjectUpdateAccess(BaseAccess):
model = ProjectUpdate model = ProjectUpdate
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all() return self.model.objects.all()
qs = ProjectUpdate.objects.distinct() qs = ProjectUpdate.objects.distinct()
qs = qs.select_related('created_by', 'modified_by', 'project') qs = qs.select_related('created_by', 'modified_by', 'project')
@@ -788,7 +788,7 @@ class JobTemplateAccess(BaseAccess):
model = JobTemplate model = JobTemplate
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
qs = self.model.objects.all() qs = self.model.objects.all()
else: else:
qs = self.model.accessible_objects(self.user, 'read_role') qs = self.model.accessible_objects(self.user, 'read_role')
@@ -979,7 +979,7 @@ class JobAccess(BaseAccess):
qs = qs.select_related('created_by', 'modified_by', 'job_template', 'inventory', qs = qs.select_related('created_by', 'modified_by', 'job_template', 'inventory',
'project', 'credential', 'cloud_credential', 'job_template') 'project', 'credential', 'cloud_credential', 'job_template')
qs = qs.prefetch_related('unified_job_template') qs = qs.prefetch_related('unified_job_template')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all() return qs.all()
qs_jt = qs.filter( qs_jt = qs.filter(
@@ -1086,7 +1086,7 @@ class AdHocCommandAccess(BaseAccess):
qs = self.model.objects.distinct() qs = self.model.objects.distinct()
qs = qs.select_related('created_by', 'modified_by', 'inventory', qs = qs.select_related('created_by', 'modified_by', 'inventory',
'credential') 'credential')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all() return qs.all()
inventory_qs = Inventory.accessible_objects(self.user, 'read_role') inventory_qs = Inventory.accessible_objects(self.user, 'read_role')
@@ -1147,7 +1147,7 @@ class AdHocCommandEventAccess(BaseAccess):
qs = self.model.objects.distinct() qs = self.model.objects.distinct()
qs = qs.select_related('ad_hoc_command', 'host') qs = qs.select_related('ad_hoc_command', 'host')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all() return qs.all()
ad_hoc_command_qs = self.user.get_queryset(AdHocCommand) ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
host_qs = self.user.get_queryset(Host) host_qs = self.user.get_queryset(Host)
@@ -1173,7 +1173,7 @@ class JobHostSummaryAccess(BaseAccess):
def get_queryset(self): def get_queryset(self):
qs = self.model.objects qs = self.model.objects
qs = qs.select_related('job', 'job__job_template', 'host') qs = qs.select_related('job', 'job__job_template', 'host')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all() return qs.all()
job_qs = self.user.get_queryset(Job) job_qs = self.user.get_queryset(Job)
host_qs = self.user.get_queryset(Host) host_qs = self.user.get_queryset(Host)
@@ -1205,7 +1205,7 @@ class JobEventAccess(BaseAccess):
event_data__icontains='"ansible_job_id": "', event_data__icontains='"ansible_job_id": "',
event_data__contains='"module_name": "async_status"') event_data__contains='"module_name": "async_status"')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all() return qs.all()
job_qs = self.user.get_queryset(Job) job_qs = self.user.get_queryset(Job)
@@ -1318,7 +1318,7 @@ class ScheduleAccess(BaseAccess):
qs = self.model.objects.all() qs = self.model.objects.all()
qs = qs.select_related('created_by', 'modified_by') qs = qs.select_related('created_by', 'modified_by')
qs = qs.prefetch_related('unified_job_template') qs = qs.prefetch_related('unified_job_template')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all() return qs.all()
job_template_qs = self.user.get_queryset(JobTemplate) job_template_qs = self.user.get_queryset(JobTemplate)
inventory_source_qs = self.user.get_queryset(InventorySource) inventory_source_qs = self.user.get_queryset(InventorySource)
@@ -1369,7 +1369,7 @@ class NotificationTemplateAccess(BaseAccess):
def get_queryset(self): def get_queryset(self):
qs = self.model.objects.all() qs = self.model.objects.all()
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs return qs
return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role').all()) return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role').all())
@@ -1413,7 +1413,7 @@ class NotificationAccess(BaseAccess):
def get_queryset(self): def get_queryset(self):
qs = self.model.objects.all() qs = self.model.objects.all()
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs return qs
return self.model.objects.filter(notification_template__organization__in=Organization.accessible_objects(self.user, 'admin_role')) return self.model.objects.filter(notification_template__organization__in=Organization.accessible_objects(self.user, 'admin_role'))
@@ -1430,7 +1430,7 @@ class LabelAccess(BaseAccess):
model = Label model = Label
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all() return self.model.objects.all()
return self.model.objects.filter( return self.model.objects.filter(
organization__in=Organization.accessible_objects(self.user, 'read_role') organization__in=Organization.accessible_objects(self.user, 'read_role')
@@ -1493,9 +1493,7 @@ class ActivityStreamAccess(BaseAccess):
'inventory_update', 'credential', 'team', 'project', 'project_update', 'inventory_update', 'credential', 'team', 'project', 'project_update',
'permission', 'job_template', 'job', 'ad_hoc_command', 'permission', 'job_template', 'job', 'ad_hoc_command',
'notification_template', 'notification', 'label', 'role') 'notification_template', 'notification', 'label', 'role')
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
if self.user in Role.singleton('system_auditor'):
return qs.all() return qs.all()
inventory_set = Inventory.accessible_objects(self.user, 'read_role') inventory_set = Inventory.accessible_objects(self.user, 'read_role')
@@ -1543,7 +1541,7 @@ class CustomInventoryScriptAccess(BaseAccess):
model = CustomInventoryScript model = CustomInventoryScript
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.distinct().all() return self.model.objects.distinct().all()
return self.model.accessible_objects(self.user, 'read_role').all() return self.model.accessible_objects(self.user, 'read_role').all()
@@ -1599,7 +1597,7 @@ class RoleAccess(BaseAccess):
def can_read(self, obj): def can_read(self, obj):
if not obj: if not obj:
return False return False
if self.user.is_superuser: if self.user.is_superuser or self.user.is_system_auditor:
return True return True
if obj.object_id: if obj.object_id: