External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-05 02:31:03 -03:30
Code Issues Packages Projects Releases Wiki Activity

Inventory/Group/Host updating is allowed by those with update_role not just admin_role

Browse Source
This commit is contained in:
Akita Noek
2016-05-02 16:38:57 -04:00
parent e50f20eb69
commit 18796ec3ff
1 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
awx/main/access.py
View File

@@ -349,7 +349,7 @@ class InventoryAccess(BaseAccess):
if self.user not in org.admin_role: if self.user not in org.admin_role:
return False return False
# Otherwise, just check for write permission. # Otherwise, just check for write permission.
return self.user in obj.admin_role return self.user in obj.update_role
@check_superuser @check_superuser
def can_admin(self, obj, data): def can_admin(self, obj, data):
@@ -401,7 +401,7 @@ class HostAccess(BaseAccess):
# Checks for admin or change permission on inventory. # Checks for admin or change permission on inventory.
inventory_pk = get_pk_from_dict(data, 'inventory') inventory_pk = get_pk_from_dict(data, 'inventory')
inventory = get_object_or_400(Inventory, pk=inventory_pk) inventory = get_object_or_400(Inventory, pk=inventory_pk)
if self.user not in inventory.admin_role: if self.user not in inventory.update_role:
return False return False
# Check to see if we have enough licenses # Check to see if we have enough licenses
@@ -415,7 +415,7 @@ class HostAccess(BaseAccess):
raise PermissionDenied('Unable to change inventory on a host') raise PermissionDenied('Unable to change inventory on a host')
# Checks for admin or change permission on inventory, controls whether # Checks for admin or change permission on inventory, controls whether
# the user can edit variable data. # the user can edit variable data.
return obj and self.user in obj.inventory.admin_role return obj and self.user in obj.inventory.update_role
def can_attach(self, obj, sub_obj, relationship, data, def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False): skip_sub_obj_read_check=False):
@@ -452,7 +452,7 @@ class GroupAccess(BaseAccess):
# Checks for admin or change permission on inventory. # Checks for admin or change permission on inventory.
inventory_pk = get_pk_from_dict(data, 'inventory') inventory_pk = get_pk_from_dict(data, 'inventory')
inventory = get_object_or_400(Inventory, pk=inventory_pk) inventory = get_object_or_400(Inventory, pk=inventory_pk)
return self.user in inventory.admin_role return self.user in inventory.update_role
def can_change(self, obj, data): def can_change(self, obj, data):
# Prevent moving a group to a different inventory. # Prevent moving a group to a different inventory.
@@ -461,7 +461,7 @@ class GroupAccess(BaseAccess):
raise PermissionDenied('Unable to change inventory on a group') raise PermissionDenied('Unable to change inventory on a group')
# Checks for admin or change permission on inventory, controls whether # Checks for admin or change permission on inventory, controls whether
# the user can attach subgroups or edit variable data. # the user can attach subgroups or edit variable data.
return obj and self.user in obj.inventory.admin_role return obj and self.user in obj.inventory.update_role
def can_attach(self, obj, sub_obj, relationship, data, def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False): skip_sub_obj_read_check=False):
@@ -514,7 +514,7 @@ class InventorySourceAccess(BaseAccess):
def can_change(self, obj, data): def can_change(self, obj, data):
# Checks for admin or change permission on group. # Checks for admin or change permission on group.
if obj and obj.group: if obj and obj.group:
return self.user in obj.group.admin_role return self.user in obj.group.update_role
# Can't change inventory sources attached to only the inventory, since # Can't change inventory sources attached to only the inventory, since
# these are created automatically from the management command. # these are created automatically from the management command.
else: else: