From a88f03b372c478529b1debc53565f7cd244c4113 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Mon, 6 Jul 2020 13:48:58 -0400 Subject: [PATCH 1/2] Reintroduce label filtering Labels are visible if you have a role on the org they are in, or on a job template they're attached to. --- awx/main/access.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index 4705fb2cfc..d0f3bd6c96 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -2480,13 +2480,16 @@ class NotificationAccess(BaseAccess): class LabelAccess(BaseAccess): ''' - I can see/use a Label if I have permission to associated organization + I can see/use a Label if I have permission to associated organization, or to a JT that the label is on ''' model = Label prefetch_related = ('modified_by', 'created_by', 'organization',) def filtered_queryset(self): - return self.model.objects.all() + return self.model.objects.filter( + Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) | + Q(unifiedjobtemplate_labels__in=UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role')) + ) @check_superuser def can_add(self, data): From 7322e134360e0f7b803f39ece1a727c426f427db Mon Sep 17 00:00:00 2001 From: Ryan Petrello Date: Wed, 8 Jul 2020 16:53:05 -0400 Subject: [PATCH 2/2] add tests for clarified label permissions --- awx/main/tests/functional/test_rbac_label.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/awx/main/tests/functional/test_rbac_label.py b/awx/main/tests/functional/test_rbac_label.py index 955894c06f..ed819df9f0 100644 --- a/awx/main/tests/functional/test_rbac_label.py +++ b/awx/main/tests/functional/test_rbac_label.py @@ -20,8 +20,19 @@ def test_label_get_queryset_su(label, user): @pytest.mark.django_db -def test_label_access(label, user): +def test_label_read_access(label, user): access = LabelAccess(user('user', False)) + assert not access.can_read(label) + label.organization.member_role.members.add(user('user', False)) + assert access.can_read(label) + + +@pytest.mark.django_db +def test_label_jt_read_access(label, user, job_template): + access = LabelAccess(user('user', False)) + assert not access.can_read(label) + job_template.read_role.members.add(user('user', False)) + job_template.labels.add(label) assert access.can_read(label)