diff --git a/awx/api/views.py b/awx/api/views.py index 971ff965d2..7a16ce650e 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -818,7 +818,7 @@ class TeamList(ListCreateAPIView): def get_queryset(self): qs = Team.accessible_objects(self.request.user, 'read_role').order_by() - qs = qs.select_related('admin_role', 'auditor_role', 'member_role', 'organization') + qs = qs.select_related('admin_role', 'read_role', 'member_role', 'organization') return qs class TeamDetail(RetrieveUpdateDestroyAPIView): @@ -865,7 +865,7 @@ class TeamProjectsList(SubListAPIView): def get_queryset(self): team = self.get_parent_object() self.check_parent_access(team) - team_qs = Project.objects.filter(Q(member_role__parents=team.member_role) | Q(admin_role__parents=team.member_role)).distinct() + team_qs = Project.objects.filter(Q(use_role__parents=team.member_role) | Q(admin_role__parents=team.member_role)).distinct() user_qs = Project.accessible_objects(self.request.user, 'read_role').distinct() return team_qs & user_qs @@ -913,9 +913,8 @@ class ProjectList(ListCreateAPIView): projects_qs = projects_qs.select_related( 'organization', 'admin_role', - 'auditor_role', - 'member_role', - 'scm_update_role', + 'use_role', + 'update_role', ) return projects_qs @@ -1422,7 +1421,7 @@ class InventoryList(ListCreateAPIView): def get_queryset(self): qs = Inventory.accessible_objects(self.request.user, 'read_role') - qs = qs.select_related('admin_role', 'auditor_role', 'update_role', 'execute_role') + qs = qs.select_related('admin_role', 'read_role', 'update_role', 'execute_role') return qs class InventoryDetail(RetrieveUpdateDestroyAPIView): diff --git a/awx/main/access.py b/awx/main/access.py index e952ba730e..7856c23a01 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1384,6 +1384,10 @@ class CustomInventoryScriptAccess(BaseAccess): return self.model.objects.distinct().all() return self.model.accessible_objects(self.user, 'read_role').all() + @check_superuser + def can_admin(self, obj): + return self.user in obj.admin_role + @check_superuser def can_read(self, obj): return self.user in obj.read_role diff --git a/awx/main/migrations/0008_v300_rbac_changes.py b/awx/main/migrations/0008_v300_rbac_changes.py index dd112700cf..0c6ec9627c 100644 --- a/awx/main/migrations/0008_v300_rbac_changes.py +++ b/awx/main/migrations/0008_v300_rbac_changes.py @@ -137,11 +137,6 @@ class Migration(migrations.Migration): name='roleancestorentry', index_together=set([('ancestor', 'content_type_id', 'object_id'), ('ancestor', 'content_type_id', 'role_field'), ('ancestor', 'descendent')]), ), - migrations.AddField( - model_name='credential', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor'], to='main.Role', null=b'True'), - ), migrations.AddField( model_name='credential', name='owner_role', @@ -155,27 +150,17 @@ class Migration(migrations.Migration): migrations.AddField( model_name='credential', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'use_role', b'auditor_role', b'owner_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor', b'use_role', b'owner_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='custominventoryscript', name='admin_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='custominventoryscript', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'), - ), - migrations.AddField( - model_name='custominventoryscript', - name='member_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.member_role', to='main.Role', null=b'True'), - ), migrations.AddField( model_name='custominventoryscript', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'member_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'organization.member_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='group', @@ -187,11 +172,6 @@ class Migration(migrations.Migration): name='adhoc_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.adhoc_role', b'parents.adhoc_role', b'admin_role'], to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='group', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.auditor_role', b'parents.auditor_role'], to='main.Role', null=b'True'), - ), migrations.AddField( model_name='group', name='execute_role', @@ -205,7 +185,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='group', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'update_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'execute_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', @@ -215,12 +195,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='inventory', name='adhoc_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), - ), - migrations.AddField( - model_name='inventory', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', @@ -230,28 +205,23 @@ class Migration(migrations.Migration): migrations.AddField( model_name='inventory', name='update_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', name='use_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='inventory', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='jobtemplate', name='admin_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='jobtemplate', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.auditor_role', b'inventory.auditor_role')], to='main.Role', null=b'True'), - ), migrations.AddField( model_name='jobtemplate', name='execute_role', @@ -260,7 +230,7 @@ class Migration(migrations.Migration): migrations.AddField( model_name='jobtemplate', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.organization.auditor_role', b'inventory.organization.auditor_role'), b'execute_role', b'admin_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='organization', @@ -289,34 +259,24 @@ class Migration(migrations.Migration): ), migrations.AddField( model_name='project', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor'], to='main.Role', null=b'True'), - ), - migrations.AddField( - model_name='project', - name='member_role', + name='use_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='project', - name='scm_update_role', + name='update_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'), ), migrations.AddField( model_name='project', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'member_role', b'auditor_role', b'scm_update_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor', b'use_role', b'update_role'], to='main.Role', null=b'True'), ), migrations.AddField( model_name='team', name='admin_role', field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'), ), - migrations.AddField( - model_name='team', - name='auditor_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'), - ), migrations.AddField( model_name='team', name='member_role', @@ -325,6 +285,6 @@ class Migration(migrations.Migration): migrations.AddField( model_name='team', name='read_role', - field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'auditor_role', b'member_role'], to='main.Role', null=b'True'), + field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'), ), ] diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index 94465084b4..134114dccb 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -219,7 +219,7 @@ def migrate_inventory(apps, schema_editor): if perm.permission_type == 'admin': return inventory.admin_role elif perm.permission_type == 'read': - return inventory.auditor_role + return inventory.read_role elif perm.permission_type == 'write': return inventory.update_role elif perm.permission_type == 'check' or perm.permission_type == 'run' or perm.permission_type == 'create': @@ -320,22 +320,22 @@ def migrate_projects(apps, schema_editor): logger.warn(smart_text(u'adding Project({}) admin: {}'.format(project.name, project.created_by.username))) for team in project.deprecated_teams.all(): - team.member_role.children.add(project.member_role) + team.member_role.children.add(project.use_role) logger.info(smart_text(u'adding Team({}) access for Project({})'.format(team.name, project.name))) if project.organization is not None: for user in project.organization.deprecated_users.all(): - project.member_role.members.add(user) + project.use_role.members.add(user) logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name))) for perm in Permission.objects.filter(project=project): # All perms at this level just imply a user or team can read if perm.team: - perm.team.member_role.children.add(project.member_role) + perm.team.member_role.children.add(project.use_role) logger.info(smart_text(u'adding Team({}) access for Project({})'.format(perm.team.name, project.name))) if perm.user: - project.member_role.members.add(perm.user) + project.use_role.members.add(perm.user) logger.info(smart_text(u'adding User({}) access for Project({})'.format(perm.user.username, project.name))) diff --git a/awx/main/models/credential.py b/awx/main/models/credential.py index 11b2a31e87..71ee9a75ef 100644 --- a/awx/main/models/credential.py +++ b/awx/main/models/credential.py @@ -208,19 +208,14 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin): 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ], ) - auditor_role = ImplicitRoleField( - parent_role=[ - 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, - ], - ) use_role = ImplicitRoleField( parent_role=['owner_role'] ) - read_role = ImplicitRoleField( - parent_role=[ - 'use_role', 'auditor_role', 'owner_role' - ], - ) + read_role = ImplicitRoleField(parent_role=[ + 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, + 'use_role', + 'owner_role' + ]) @property def needs_ssh_password(self): diff --git a/awx/main/models/inventory.py b/awx/main/models/inventory.py index 451a757670..b9bb57be99 100644 --- a/awx/main/models/inventory.py +++ b/awx/main/models/inventory.py @@ -99,24 +99,25 @@ class Inventory(CommonModel, ResourceMixin): admin_role = ImplicitRoleField( parent_role='organization.admin_role', ) - auditor_role = ImplicitRoleField( - parent_role='organization.auditor_role', - ) update_role = ImplicitRoleField( - parent_role=['admin_role'], + parent_role='admin_role', ) use_role = ImplicitRoleField( - parent_role=['admin_role'], + parent_role='admin_role', ) adhoc_role = ImplicitRoleField( - parent_role=['admin_role'], + parent_role='admin_role', ) execute_role = ImplicitRoleField( parent_role='adhoc_role', ) - read_role = ImplicitRoleField( - parent_role=['auditor_role', 'execute_role', 'update_role', 'use_role', 'admin_role'], - ) + read_role = ImplicitRoleField(parent_role=[ + 'organization.auditor_role', + 'execute_role', + 'update_role', + 'use_role', + 'admin_role', + ]) def get_absolute_url(self): return reverse('api:inventory_detail', args=(self.pk,)) @@ -519,9 +520,6 @@ class Group(CommonModelNameNotUnique, ResourceMixin): admin_role = ImplicitRoleField( parent_role=['inventory.admin_role', 'parents.admin_role'], ) - auditor_role = ImplicitRoleField( - parent_role=['inventory.auditor_role', 'parents.auditor_role'], - ) update_role = ImplicitRoleField( parent_role=['inventory.update_role', 'parents.update_role', 'admin_role'], ) @@ -531,9 +529,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin): execute_role = ImplicitRoleField( parent_role=['inventory.execute_role', 'parents.execute_role', 'adhoc_role'], ) - read_role = ImplicitRoleField( - parent_role=['execute_role', 'update_role', 'auditor_role', 'admin_role'], - ) + read_role = ImplicitRoleField(parent_role=[ + 'inventory.read_role', + 'parents.read_role', + 'execute_role', + 'update_role', + 'admin_role' + ]) def __unicode__(self): return self.name @@ -1307,14 +1309,8 @@ class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin): admin_role = ImplicitRoleField( parent_role='organization.admin_role', ) - member_role = ImplicitRoleField( - parent_role='organization.member_role', - ) - auditor_role = ImplicitRoleField( - parent_role='organization.auditor_role', - ) read_role = ImplicitRoleField( - parent_role=['auditor_role', 'member_role', 'admin_role'], + parent_role=['organization.auditor_role', 'organization.member_role', 'admin_role'], ) def get_absolute_url(self): diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py index fc415b9af1..e7a97755f3 100644 --- a/awx/main/models/jobs.py +++ b/awx/main/models/jobs.py @@ -223,14 +223,11 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin): admin_role = ImplicitRoleField( parent_role=[('project.admin_role', 'inventory.admin_role')] ) - auditor_role = ImplicitRoleField( - parent_role=[('project.auditor_role', 'inventory.auditor_role')] - ) execute_role = ImplicitRoleField( parent_role=['admin_role'], ) read_role = ImplicitRoleField( - parent_role=['execute_role', 'auditor_role', 'admin_role'], + parent_role=[('project.organization.auditor_role', 'inventory.organization.auditor_role'), 'execute_role', 'admin_role'], ) @classmethod diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py index 3d8a06f446..94d82eae6d 100644 --- a/awx/main/models/organization.py +++ b/awx/main/models/organization.py @@ -104,12 +104,9 @@ class Team(CommonModelNameNotUnique, ResourceMixin): admin_role = ImplicitRoleField( parent_role='organization.admin_role', ) - auditor_role = ImplicitRoleField( - parent_role='organization.auditor_role', - ) member_role = ImplicitRoleField() read_role = ImplicitRoleField( - parent_role=['admin_role', 'auditor_role', 'member_role'], + parent_role=['admin_role', 'organization.auditor_role', 'member_role'], ) def get_absolute_url(self): diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py index f987bd6af0..f421bb7fa3 100644 --- a/awx/main/models/projects.py +++ b/awx/main/models/projects.py @@ -220,27 +220,26 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin): default=0, blank=True, ) - admin_role = ImplicitRoleField( - parent_role=[ - 'organization.admin_role', - 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, - ], - ) - auditor_role = ImplicitRoleField( - parent_role=[ - 'organization.auditor_role', - 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, - ], - ) - member_role = ImplicitRoleField( + + admin_role = ImplicitRoleField(parent_role=[ + 'organization.admin_role', + 'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, + ]) + + use_role = ImplicitRoleField( parent_role='admin_role', ) - scm_update_role = ImplicitRoleField( + + update_role = ImplicitRoleField( parent_role='admin_role', ) - read_role = ImplicitRoleField( - parent_role=['member_role', 'auditor_role', 'scm_update_role'], - ) + + read_role = ImplicitRoleField(parent_role=[ + 'organization.auditor_role', + 'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR, + 'use_role', + 'update_role', + ]) @classmethod def _get_unified_job_class(cls): diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py index fb57ef4f65..45f9ebe4bc 100644 --- a/awx/main/models/rbac.py +++ b/awx/main/models/rbac.py @@ -42,7 +42,6 @@ role_names = { 'member_role' : 'Member', 'owner_role' : 'Owner', 'read_role' : 'Read', - 'scm_update_role' : 'SCM Update', 'update_role' : 'Update', 'use_role' : 'Use', } @@ -57,8 +56,7 @@ role_descriptions = { 'member_role' : 'User is a member of the %s', 'owner_role' : 'Owns and can manage all aspects of this %s', 'read_role' : 'May view settings for the %s', - 'scm_update_role' : 'May update the project from the configured source control management system', - 'update_role' : 'May update the inventory or group using the cloud source update system', + 'update_role' : 'May update project or inventory or group using the configured source update system', 'use_role' : 'Can use the %s in a job template', } diff --git a/awx/main/tests/functional/test_projects.py b/awx/main/tests/functional/test_projects.py index 62e98425df..d8bcd5d151 100644 --- a/awx/main/tests/functional/test_projects.py +++ b/awx/main/tests/functional/test_projects.py @@ -74,9 +74,9 @@ def test_team_project_list(get, project_factory, team_factory, admin, alice, bob assert get(reverse('api:team_projects_list', args=(team1.pk,)), alice).data['count'] == 2 # but if she does, then she should only see the shared project - team2.auditor_role.members.add(alice) + team2.read_role.members.add(alice) assert get(reverse('api:team_projects_list', args=(team2.pk,)), alice).data['count'] == 1 - team2.auditor_role.members.remove(alice) + team2.read_role.members.remove(alice) # Test user endpoints first, very similar tests to test_user_project_list # but permissions are being derived from team membership instead. diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py index 0727b73e10..29c851b094 100644 --- a/awx/main/tests/functional/test_rbac_inventory.py +++ b/awx/main/tests/functional/test_rbac_inventory.py @@ -42,12 +42,12 @@ def test_inventory_auditor_user(inventory, permissions, user): perm.save() assert u not in inventory.admin_role - assert u not in inventory.auditor_role + assert u not in inventory.read_role rbac.migrate_inventory(apps, None) assert u not in inventory.admin_role - assert u in inventory.auditor_role + assert u in inventory.read_role assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False @@ -58,7 +58,7 @@ def test_inventory_updater_user(inventory, permissions, user): perm.save() assert u not in inventory.admin_role - assert u not in inventory.auditor_role + assert u not in inventory.read_role rbac.migrate_inventory(apps, None) @@ -73,7 +73,7 @@ def test_inventory_executor_user(inventory, permissions, user): perm.save() assert u not in inventory.admin_role - assert u not in inventory.auditor_role + assert u not in inventory.read_role rbac.migrate_inventory(apps, None) @@ -98,7 +98,7 @@ def test_inventory_admin_team(inventory, permissions, user, team): assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.auditor_role.members.filter(id=u.id).exists() is False + assert inventory.read_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert u in inventory.read_role @@ -113,14 +113,14 @@ def test_inventory_auditor(inventory, permissions, user, team): team.deprecated_users.add(u) assert u not in inventory.admin_role - assert u not in inventory.auditor_role + assert u not in inventory.read_role rbac.migrate_team(apps,None) rbac.migrate_inventory(apps, None) assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.auditor_role.members.filter(id=u.id).exists() is False + assert inventory.read_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert u in inventory.read_role @@ -134,14 +134,14 @@ def test_inventory_updater(inventory, permissions, user, team): team.deprecated_users.add(u) assert u not in inventory.admin_role - assert u not in inventory.auditor_role + assert u not in inventory.read_role rbac.migrate_team(apps,None) rbac.migrate_inventory(apps, None) assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.auditor_role.members.filter(id=u.id).exists() is False + assert inventory.read_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert team.member_role.is_ancestor_of(inventory.update_role) @@ -156,14 +156,14 @@ def test_inventory_executor(inventory, permissions, user, team): team.deprecated_users.add(u) assert u not in inventory.admin_role - assert u not in inventory.auditor_role + assert u not in inventory.read_role rbac.migrate_team(apps, None) rbac.migrate_inventory(apps, None) assert team.member_role.members.count() == 1 assert inventory.admin_role.members.filter(id=u.id).exists() is False - assert inventory.auditor_role.members.filter(id=u.id).exists() is False + assert inventory.read_role.members.filter(id=u.id).exists() is False assert inventory.execute_role.members.filter(id=u.id).exists() is False assert inventory.update_role.members.filter(id=u.id).exists() is False assert team.member_role.is_ancestor_of(inventory.update_role) is False diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py index d4f03f0cfc..d2c1dd75c5 100644 --- a/awx/main/tests/functional/test_rbac_team.py +++ b/awx/main/tests/functional/test_rbac_team.py @@ -72,7 +72,7 @@ def test_team_access_member(organization, team, user): def test_team_accessible_by(team, user, project): u = user('team_member', False) - team.member_role.children.add(project.member_role) + team.member_role.children.add(project.use_role) assert team in project.read_role assert u not in project.read_role @@ -83,7 +83,7 @@ def test_team_accessible_by(team, user, project): def test_team_accessible_objects(team, user, project): u = user('team_member', False) - team.member_role.children.add(project.member_role) + team.member_role.children.add(project.use_role) assert len(Project.accessible_objects(team, 'read_role')) == 1 assert not Project.accessible_objects(u, 'read_role') diff --git a/awx/main/tests/old/ad_hoc.py b/awx/main/tests/old/ad_hoc.py index 8052350517..b05dc6df89 100644 --- a/awx/main/tests/old/ad_hoc.py +++ b/awx/main/tests/old/ad_hoc.py @@ -491,7 +491,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest): # Explicitly give nobody user read permission on the inventory. nobody_roles_list_url = reverse('api:user_roles_list', args=(self.nobody_django_user.pk,)) with self.current_user('admin'): - response = self.post(nobody_roles_list_url, {"id": self.inventory.auditor_role.id}, expect=204) + response = self.post(nobody_roles_list_url, {"id": self.inventory.read_role.id}, expect=204) with self.current_user('nobody'): self.run_test_ad_hoc_command(credential=other_cred.pk, expect=403) self.check_get_list(url, 'other', qs) diff --git a/awx/main/tests/old/inventory.py b/awx/main/tests/old/inventory.py index ac9ab875b4..c0fb172b63 100644 --- a/awx/main/tests/old/inventory.py +++ b/awx/main/tests/old/inventory.py @@ -59,7 +59,7 @@ class InventoryTest(BaseTest): # create a permission here on the 'other' user so they have edit access on the org # we may add another permission type later. - self.inventory_b.auditor_role.members.add(self.other_django_user) + self.inventory_b.read_role.members.add(self.other_django_user) def tearDown(self): super(InventoryTest, self).tearDown() @@ -267,14 +267,14 @@ class InventoryTest(BaseTest): temp_inv = temp_org.inventories.create(name='Delete Org Inventory') temp_inv.groups.create(name='Delete Org Inventory Group') - temp_inv.auditor_role.members.add(self.other_django_user) + temp_inv.read_role.members.add(self.other_django_user) reverse('api:organization_detail', args=(temp_org.pk,)) inventory_detail = reverse('api:inventory_detail', args=(temp_inv.pk,)) - auditor_role_users_list = reverse('api:role_users_list', args=(temp_inv.auditor_role.pk,)) + read_role_users_list = reverse('api:role_users_list', args=(temp_inv.read_role.pk,)) self.get(inventory_detail, expect=200, auth=self.get_other_credentials()) - self.post(auditor_role_users_list, data={'disassociate': True, "id": self.other_django_user.id}, expect=204, auth=self.get_super_credentials()) + self.post(read_role_users_list, data={'disassociate': True, "id": self.other_django_user.id}, expect=204, auth=self.get_super_credentials()) self.get(inventory_detail, expect=403, auth=self.get_other_credentials()) def test_create_inventory_script(self): @@ -1474,7 +1474,7 @@ class InventoryUpdatesTest(BaseTransactionTest): # to see the inventory source and update view, but not start an update. user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,)) with self.current_user(self.super_django_user): - self.post(user_roles_list_url, {"id": self.inventory.auditor_role.id}, expect=204) + self.post(user_roles_list_url, {"id": self.inventory.read_role.id}, expect=204) with self.current_user(self.other_django_user): self.get(inv_src_url, expect=200) response = self.get(inv_src_update_url, expect=200) diff --git a/awx/main/tests/old/schedules.py b/awx/main/tests/old/schedules.py index f90fef6e24..441c1e2002 100644 --- a/awx/main/tests/old/schedules.py +++ b/awx/main/tests/old/schedules.py @@ -71,7 +71,7 @@ class ScheduleTest(BaseTest): self.first_inventory_source.source = 'ec2' self.first_inventory_source.save() - self.first_inventory.auditor_role.members.add(self.other_django_user) + self.first_inventory.read_role.members.add(self.other_django_user) self.second_inventory = Inventory.objects.create(name='test_inventory_2', description='for org 0', organization=self.organizations[0]) self.second_inventory.hosts.create(name='host_2')