External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-12 02:19:58 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2919 from anoek/2918

Browse Source 
Several system auditor fixes to allow SA's to read and see things
This commit is contained in:
Akita Noek 2016-07-11 15:23:36 -04:00 committed by GitHub
commit 1aeca1bebb
5 changed files with 26 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
awx/api/views.py
View File

@ -1401,7 +1401,7 @@ class OrganizationCredentialList(SubListCreateAPIView):
user_visible = Credential.accessible_objects(self.request.user, 'read_role').all()
org_set = Credential.accessible_objects(organization.admin_role, 'read_role').all()
if self.request.user.is_superuser:
if self.request.user.is_superuser or self.request.user.is_system_auditor:
return org_set
return org_set & user_visible
@ -2591,7 +2591,7 @@ class SystemJobTemplateList(ListAPIView):
serializer_class = SystemJobTemplateSerializer
def get(self, request, *args, **kwargs):
if not request.user.is_superuser:
if not request.user.is_superuser and not request.user.is_system_auditor:
raise PermissionDenied("Superuser privileges needed.")
return super(SystemJobTemplateList, self).get(request, *args, **kwargs)
@ -3321,7 +3321,7 @@ class SystemJobList(ListCreateAPIView):
serializer_class = SystemJobListSerializer
def get(self, request, *args, **kwargs):
if not request.user.is_superuser:
if not request.user.is_superuser and not request.user.is_system_auditor:
raise PermissionDenied("Superuser privileges needed.")
return super(SystemJobList, self).get(request, *args, **kwargs)
@ -3625,8 +3625,6 @@ class RoleList(ListAPIView):
new_in_300 = True
def get_queryset(self):
if self.request.user.is_superuser:
return Role.objects.all()
return Role.visible_roles(self.request.user)

39
awx/main/access.py
View File

@ -139,7 +139,7 @@ class BaseAccess(object):
self.user = user
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all()
else:
return self.model.objects.none()
@ -221,7 +221,7 @@ class UserAccess(BaseAccess):
model = User
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return User.objects.all()
if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \
@ -718,7 +718,7 @@ class ProjectAccess(BaseAccess):
model = Project
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all()
qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('modified_by', 'credential', 'current_job', 'last_job').all()
@ -752,7 +752,7 @@ class ProjectUpdateAccess(BaseAccess):
model = ProjectUpdate
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all()
qs = ProjectUpdate.objects.distinct()
qs = qs.select_related('created_by', 'modified_by', 'project')
@ -788,7 +788,7 @@ class JobTemplateAccess(BaseAccess):
model = JobTemplate
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
qs = self.model.objects.all()
else:
qs = self.model.accessible_objects(self.user, 'read_role')
@ -979,7 +979,7 @@ class JobAccess(BaseAccess):
qs = qs.select_related('created_by', 'modified_by', 'job_template', 'inventory',
'project', 'credential', 'cloud_credential', 'job_template')
qs = qs.prefetch_related('unified_job_template')
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
qs_jt = qs.filter(
@ -1086,7 +1086,7 @@ class AdHocCommandAccess(BaseAccess):
qs = self.model.objects.distinct()
qs = qs.select_related('created_by', 'modified_by', 'inventory',
'credential')
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
inventory_qs = Inventory.accessible_objects(self.user, 'read_role')
@ -1147,7 +1147,7 @@ class AdHocCommandEventAccess(BaseAccess):
qs = self.model.objects.distinct()
qs = qs.select_related('ad_hoc_command', 'host')
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
host_qs = self.user.get_queryset(Host)
@ -1173,7 +1173,7 @@ class JobHostSummaryAccess(BaseAccess):
def get_queryset(self):
qs = self.model.objects
qs = qs.select_related('job', 'job__job_template', 'host')
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
job_qs = self.user.get_queryset(Job)
host_qs = self.user.get_queryset(Host)
@ -1205,7 +1205,7 @@ class JobEventAccess(BaseAccess):
event_data__icontains='"ansible_job_id": "',
event_data__contains='"module_name": "async_status"')
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
job_qs = self.user.get_queryset(Job)
@ -1318,7 +1318,7 @@ class ScheduleAccess(BaseAccess):
qs = self.model.objects.all()
qs = qs.select_related('created_by', 'modified_by')
qs = qs.prefetch_related('unified_job_template')
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
job_template_qs = self.user.get_queryset(JobTemplate)
inventory_source_qs = self.user.get_queryset(InventorySource)
@ -1369,12 +1369,13 @@ class NotificationTemplateAccess(BaseAccess):
def get_queryset(self):
qs = self.model.objects.all()
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs
return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role').all())
@check_superuser
def can_read(self, obj):
if self.user.is_superuser or self.user.is_system_auditor:
return True
if obj.organization is not None:
return self.user in obj.organization.admin_role
return False
@ -1413,7 +1414,7 @@ class NotificationAccess(BaseAccess):
def get_queryset(self):
qs = self.model.objects.all()
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return qs
return self.model.objects.filter(notification_template__organization__in=Organization.accessible_objects(self.user, 'admin_role'))
@ -1430,7 +1431,7 @@ class LabelAccess(BaseAccess):
model = Label
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all()
return self.model.objects.filter(
organization__in=Organization.accessible_objects(self.user, 'read_role')
@ -1493,9 +1494,7 @@ class ActivityStreamAccess(BaseAccess):
'inventory_update', 'credential', 'team', 'project', 'project_update',
'permission', 'job_template', 'job', 'ad_hoc_command',
'notification_template', 'notification', 'label', 'role')
if self.user.is_superuser:
return qs.all()
if self.user in Role.singleton('system_auditor'):
if self.user.is_superuser or self.user.is_system_auditor:
return qs.all()
inventory_set = Inventory.accessible_objects(self.user, 'read_role')
@ -1543,7 +1542,7 @@ class CustomInventoryScriptAccess(BaseAccess):
model = CustomInventoryScript
def get_queryset(self):
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.distinct().all()
return self.model.accessible_objects(self.user, 'read_role').all()
@ -1599,7 +1598,7 @@ class RoleAccess(BaseAccess):
def can_read(self, obj):
if not obj:
return False
if self.user.is_superuser:
if self.user.is_superuser or self.user.is_system_auditor:
return True
if obj.object_id:

1
awx/ui/client/src/app.js
View File

@ -881,6 +881,7 @@ var tower = angular.module('Tower', [
}
// If browser refresh, set the user_is_superuser value
$rootScope.user_is_superuser = Authorization.getUserInfo('is_superuser');
$rootScope.user_is_system_auditor = Authorization.getUserInfo('is_system_auditor');
// state the user refreshes we want to open the socket, except if the user is on the login page, which should happen after the user logs in (see the AuthService module for that call to OpenSocket)
if(!_.contains($location.$$url, '/login')){
ConfigService.getConfig().then(function(){

1
awx/ui/client/src/login/loginModal/loginModal.controller.js
View File

@ -137,6 +137,7 @@ export default ['$log', '$cookieStore', '$compile', '$window', '$rootScope',
$rootScope.sessionTimer = timer;
$rootScope.$emit('OpenSocket');
$rootScope.user_is_superuser = data.results[0].is_superuser;
$rootScope.user_is_system_auditor = data.results[0].is_system_auditor;
scope.$emit('AuthorizationGetLicense');
});
})

4
awx/ui/client/src/setup-menu/setup-menu.partial.html
View File

@ -24,7 +24,7 @@
Add passwords, SSH keys, etc. for Tower to use when launching jobs against machines, or when syncing inventories or projects.
</p>
</a>
<a ui-sref="managementJobsList" class="SetupItem" ng-if="user_is_superuser">
<a ui-sref="managementJobsList" class="SetupItem" ng-if="user_is_superuser || user_is_system_auditor">
<h4 class="SetupItem-title">Management Jobs</h4>
<p class="SetupItem-description">
Manage the cleanup of old job history, activity streams, data marked for deletion, and system tracking info.
@ -37,7 +37,7 @@
</p>
</a>
<a ui-sref="notifications" class="SetupItem"
ng-if="orgAdmin">
ng-if="orgAdmin || user_is_system_auditor || user_is_superuser">
<h4 class="SetupItem-title">Notifications</h4>
<p class="SetupItem-description">
Create templates for sending notifications with Email, HipChat, Slack, and SMS.