From 1ddb675fa2e89ae3de6e37a857257d5384c838bf Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Tue, 16 Apr 2019 13:55:58 -0400 Subject: [PATCH] Use querset special case to let org members see teams --- awx/main/access.py | 6 +++++- awx/main/tests/functional/test_projects.py | 7 ------- awx/main/tests/functional/test_rbac_team.py | 15 +++++++++++++++ 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index b09783a912..250ce99a66 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1245,6 +1245,7 @@ class TeamAccess(BaseAccess): - I'm a superuser. - I'm an admin of the team - I'm a member of that team. + - I'm a member of the team's organization I can create/change a team when: - I'm a superuser. - I'm an admin for the team @@ -1257,7 +1258,10 @@ class TeamAccess(BaseAccess): if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \ (self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()): return self.model.objects.all() - return self.model.accessible_objects(self.user, 'read_role') + return self.model.objects.filter( + Q(organization=Organization.accessible_pk_qs(self.user, 'member_role')) | + Q(pk__in=self.model.accessible_pk_qs(self.user, 'read_role')) + ) @check_superuser def can_add(self, data): diff --git a/awx/main/tests/functional/test_projects.py b/awx/main/tests/functional/test_projects.py index 5bd8e749ec..2106c7d3f7 100644 --- a/awx/main/tests/functional/test_projects.py +++ b/awx/main/tests/functional/test_projects.py @@ -175,13 +175,6 @@ def test_team_project_list(get, team_project_list): assert get(reverse('api:user_projects_list', kwargs={'pk':admin.pk,}), alice).data['count'] == 2 -@pytest.mark.django_db -def test_team_project_list_fail1(get, team_project_list): - objects = team_project_list - res = get(reverse('api:team_projects_list', kwargs={'pk':objects.teams.team2.pk,}), objects.users.alice) - assert res.status_code == 403 - - @pytest.mark.parametrize("u,expected_status_code", [ ('rando', 403), ('org_member', 403), diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py index 7178769906..80a825edd5 100644 --- a/awx/main/tests/functional/test_rbac_team.py +++ b/awx/main/tests/functional/test_rbac_team.py @@ -152,3 +152,18 @@ def test_org_admin_view_all_teams(org_admin, enabled): with mock.patch('awx.main.access.settings') as settings_mock: settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled assert access.can_read(other_team) is enabled + + +@pytest.mark.django_db +def test_team_member_read(rando, organization, team): + assert team.organization == organization + organization.member_role.members.add(rando) + assert TeamAccess(rando).can_read(team) + assert team in TeamAccess(rando).get_queryset() + + +@pytest.mark.django_db +def test_team_list_no_duplicate_entries(rando, organization, team): + organization.member_role.members.add(rando) + team.read_role.members.add(rando) + assert list(TeamAccess(rando).get_queryset()) == [team]