Inventory/Group/Host updating is allowed by those with update_role not just admin_role

2026-01-12 18:40:01 -03:30 · 2016-05-02 16:38:57 -04:00 · 2016-05-02 16:38:57 -04:00 · 18796ec3ff
commit 18796ec3ff
parent e50f20eb69
1 changed files with 6 additions and 6 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -349,7 +349,7 @@ class InventoryAccess(BaseAccess):
            if self.user not in org.admin_role:
                return False
        # Otherwise, just check for write permission.
-        return self.user in obj.admin_role
+        return self.user in obj.update_role

    @check_superuser
    def can_admin(self, obj, data):
@ -401,7 +401,7 @@ class HostAccess(BaseAccess):
        # Checks for admin or change permission on inventory.
        inventory_pk = get_pk_from_dict(data, 'inventory')
        inventory = get_object_or_400(Inventory, pk=inventory_pk)
-        if self.user not in inventory.admin_role:
+        if self.user not in inventory.update_role:
            return False

        # Check to see if we have enough licenses
@ -415,7 +415,7 @@ class HostAccess(BaseAccess):
            raise PermissionDenied('Unable to change inventory on a host')
        # Checks for admin or change permission on inventory, controls whether
        # the user can edit variable data.
-        return obj and self.user in obj.inventory.admin_role
+        return obj and self.user in obj.inventory.update_role

    def can_attach(self, obj, sub_obj, relationship, data,
                   skip_sub_obj_read_check=False):
@ -452,7 +452,7 @@ class GroupAccess(BaseAccess):
        # Checks for admin or change permission on inventory.
        inventory_pk = get_pk_from_dict(data, 'inventory')
        inventory = get_object_or_400(Inventory, pk=inventory_pk)
-        return self.user in inventory.admin_role
+        return self.user in inventory.update_role

    def can_change(self, obj, data):
        # Prevent moving a group to a different inventory.
@ -461,7 +461,7 @@ class GroupAccess(BaseAccess):
            raise PermissionDenied('Unable to change inventory on a group')
        # Checks for admin or change permission on inventory, controls whether
        # the user can attach subgroups or edit variable data.
-        return obj and self.user in obj.inventory.admin_role
+        return obj and self.user in obj.inventory.update_role

    def can_attach(self, obj, sub_obj, relationship, data,
                   skip_sub_obj_read_check=False):
@ -514,7 +514,7 @@ class InventorySourceAccess(BaseAccess):
    def can_change(self, obj, data):
        # Checks for admin or change permission on group.
        if obj and obj.group:
-            return self.user in obj.group.admin_role
+            return self.user in obj.group.update_role
        # Can't change inventory sources attached to only the inventory, since
        # these are created automatically from the management command.
        else: