From b6bbd4fa7711a74ae9718d476fdc9c1cb875e4aa Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 28 Apr 2016 13:43:49 -0400 Subject: [PATCH 1/2] ensure change access for adding team roles --- awx/api/views.py | 5 ++++- awx/main/tests/unit/api/test_views.py | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/awx/api/views.py b/awx/api/views.py index 4ea256c246..0c7164a622 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -834,9 +834,12 @@ class TeamRolesList(SubListCreateAttachDetachAPIView): raise PermissionDenied() return Role.filter_visible_roles(self.request.user, team.member_role.children.all()) - # XXX: Need to enforce permissions def post(self, request, *args, **kwargs): # Forbid implicit role creation here + team = get_object_or_404(Team, pk=self.kwargs['pk']) + if not self.request.user.can_access(Team, 'change', team): + raise PermissionDenied() + sub_id = request.data.get('id', None) if not sub_id: data = dict(msg='Role "id" field is missing') diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py index a5d63906c5..6b886513bd 100644 --- a/awx/main/tests/unit/api/test_views.py +++ b/awx/main/tests/unit/api/test_views.py @@ -1,8 +1,9 @@ -# Python import pytest -# AWX -from awx.api.views import ApiV1RootView +from awx.api.views import ( + ApiV1RootView, +) + @pytest.fixture def mock_response_new(mocker): @@ -10,6 +11,7 @@ def mock_response_new(mocker): m.return_value = m return m + class TestApiV1RootView: def test_get_endpoints(self, mocker, mock_response_new): endpoints = [ From ef8eb712c6f7ad129a03fc5d2c6c4f72f166d55a Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 28 Apr 2016 15:15:26 -0400 Subject: [PATCH 2/2] added tests to assert team roles attach/unattach permissions, removed previous flawed fix --- awx/api/views.py | 4 ---- awx/main/tests/functional/test_rbac_team.py | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/awx/api/views.py b/awx/api/views.py index 0c7164a622..667df86e63 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -836,10 +836,6 @@ class TeamRolesList(SubListCreateAttachDetachAPIView): def post(self, request, *args, **kwargs): # Forbid implicit role creation here - team = get_object_or_404(Team, pk=self.kwargs['pk']) - if not self.request.user.can_access(Team, 'change', team): - raise PermissionDenied() - sub_id = request.data.get('id', None) if not sub_id: data = dict(msg='Role "id" field is missing') diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py index 3961cb837a..d4f03f0cfc 100644 --- a/awx/main/tests/functional/test_rbac_team.py +++ b/awx/main/tests/functional/test_rbac_team.py @@ -3,6 +3,25 @@ import pytest from awx.main.access import TeamAccess from awx.main.models import Project + +@pytest.mark.django_db +def test_team_attach_unattach(team, user): + u = user('member', False) + access = TeamAccess(u) + + team.member_role.members.add(u) + assert not access.can_attach(team, u.admin_role, 'member_role.children', None) + assert not access.can_unattach(team, u.admin_role, 'member_role.children') + + team.admin_role.members.add(u) + assert access.can_attach(team, u.admin_role, 'member_role.children', None) + assert access.can_unattach(team, u.admin_role, 'member_role.children') + + u2 = user('non-member', False) + access = TeamAccess(u2) + assert not access.can_attach(team, u2.admin_role, 'member_role.children', None) + assert not access.can_unattach(team, u2.admin_role, 'member_role.chidlren') + @pytest.mark.django_db def test_team_access_superuser(team, user): team.member_role.members.add(user('member', False))