Merge pull request #2618 from anoek/2561

Fixed inventory edit editablity from update_role users
2026-01-13 11:00:03 -03:30 · 2016-06-24 14:19:59 -04:00 · 2016-06-24 14:19:59 -04:00 · 146fce2dc4
commit 146fce2dc4
parent 1b9b14d6f7 291c8126d7
3 changed files with 154 additions and 23 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -401,7 +401,7 @@ class HostAccess(BaseAccess):
        # Checks for admin or change permission on inventory.
        inventory_pk = get_pk_from_dict(data, 'inventory')
        inventory = get_object_or_400(Inventory, pk=inventory_pk)
-        if self.user not in inventory.update_role:
+        if self.user not in inventory.admin_role:
            return False

        # Check to see if we have enough licenses
@ -415,7 +415,7 @@ class HostAccess(BaseAccess):
            raise PermissionDenied('Unable to change inventory on a host.')
        # Checks for admin or change permission on inventory, controls whether
        # the user can edit variable data.
-        return obj and self.user in obj.inventory.update_role
+        return obj and self.user in obj.inventory.admin_role

    def can_attach(self, obj, sub_obj, relationship, data,
                   skip_sub_obj_read_check=False):
@ -452,7 +452,7 @@ class GroupAccess(BaseAccess):
        # Checks for admin or change permission on inventory.
        inventory_pk = get_pk_from_dict(data, 'inventory')
        inventory = get_object_or_400(Inventory, pk=inventory_pk)
-        return self.user in inventory.update_role
+        return self.user in inventory.admin_role

    def can_change(self, obj, data):
        # Prevent moving a group to a different inventory.
@ -461,7 +461,7 @@ class GroupAccess(BaseAccess):
            raise PermissionDenied('Unable to change inventory on a group.')
        # Checks for admin or change permission on inventory, controls whether
        # the user can attach subgroups or edit variable data.
-        return obj and self.user in obj.inventory.update_role
+        return obj and self.user in obj.inventory.admin_role

    def can_attach(self, obj, sub_obj, relationship, data,
                   skip_sub_obj_read_check=False):
--- a/awx/main/tests/functional/api/test_inventory.py
+++ b/awx/main/tests/functional/api/test_inventory.py
@ -0,0 +1,150 @@
+import pytest
+
+from django.core.urlresolvers import reverse
+
+@pytest.mark.django_db
+def test_inventory_source_notification_on_cloud_only(get, post, group_factory, user, notification_template):
+    u = user('admin', True)
+    g_cloud = group_factory('cloud')
+    g_not = group_factory('not_cloud')
+    cloud_is = g_cloud.inventory_source
+    not_is = g_not.inventory_source
+    cloud_is.source = 'ec2'
+    cloud_is.save()
+    url = reverse('api:inventory_source_notification_templates_any_list', args=(cloud_is.id,))
+    response = post(url, dict(id=notification_template.id), u)
+    assert response.status_code == 204
+    url = reverse('api:inventory_source_notification_templates_success_list', args=(not_is.id,))
+    response = post(url, dict(id=notification_template.id), u)
+    assert response.status_code == 400
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 200),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_edit_inventory(put, inventory, alice, role_field, expected_status_code):
+    data = { 'organization': inventory.organization.id, 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(inventory, role_field).members.add(alice)
+    put(reverse('api:inventory_detail', args=(inventory.id,)), data, alice, expect=expected_status_code)
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 201),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_create_inventory_group(post, inventory, alice, role_field, expected_status_code):
+    data = { 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(inventory, role_field).members.add(alice)
+    post(reverse('api:inventory_groups_list', args=(inventory.id,)), data, alice, expect=expected_status_code)
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 201),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_create_inventory_group_child(post, group, alice, role_field, expected_status_code):
+    data = { 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(group.inventory, role_field).members.add(alice)
+    post(reverse('api:group_children_list', args=(group.id,)), data, alice, expect=expected_status_code)
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 200),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_edit_inventory_group(put, group, alice, role_field, expected_status_code):
+    data = { 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(group.inventory, role_field).members.add(alice)
+    put(reverse('api:group_detail', args=(group.id,)), data, alice, expect=expected_status_code)
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 204),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_delete_inventory_group(delete, group, alice, role_field, expected_status_code):
+    if role_field:
+        getattr(group.inventory, role_field).members.add(alice)
+    delete(reverse('api:group_detail', args=(group.id,)), alice, expect=expected_status_code)
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 201),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_create_inventory_host(post, inventory, alice, role_field, expected_status_code):
+    data = { 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(inventory, role_field).members.add(alice)
+    post(reverse('api:inventory_hosts_list', args=(inventory.id,)), data, alice, expect=expected_status_code)
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 201),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_create_inventory_group_host(post, group, alice, role_field, expected_status_code):
+    data = { 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(group.inventory, role_field).members.add(alice)
+    post(reverse('api:group_hosts_list', args=(group.id,)), data, alice, expect=expected_status_code)
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 200),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_edit_inventory_host(put, host, alice, role_field, expected_status_code):
+    data = { 'name': 'New name', 'description': 'Hello world', }
+    if role_field:
+        getattr(host.inventory, role_field).members.add(alice)
+    put(reverse('api:host_detail', args=(host.id,)), data, alice, expect=expected_status_code)
+
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 204),
+    ('update_role', 403),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_delete_inventory_host(delete, host, alice, role_field, expected_status_code):
+    if role_field:
+        getattr(host.inventory, role_field).members.add(alice)
+    delete(reverse('api:host_detail', args=(host.id,)), alice, expect=expected_status_code)
--- a/awx/main/tests/functional/test_inventory.py
+++ b/awx/main/tests/functional/test_inventory.py
@ -1,19 +0,0 @@
-import pytest
-
-from django.core.urlresolvers import reverse
-
-@pytest.mark.django_db
-def test_inventory_source_notification_on_cloud_only(get, post, group_factory, user, notification_template):
-    u = user('admin', True)
-    g_cloud = group_factory('cloud')
-    g_not = group_factory('not_cloud')
-    cloud_is = g_cloud.inventory_source
-    not_is = g_not.inventory_source
-    cloud_is.source = 'ec2'
-    cloud_is.save()
-    url = reverse('api:inventory_source_notification_templates_any_list', args=(cloud_is.id,))
-    response = post(url, dict(id=notification_template.id), u)
-    assert response.status_code == 204
-    url = reverse('api:inventory_source_notification_templates_success_list', args=(not_is.id,))
-    response = post(url, dict(id=notification_template.id), u)
-    assert response.status_code == 400