Prevent system auditor from downloading install bundle (#6805)

2026-01-09 23:12:08 -03:30 · 2025-03-11 10:54:02 -04:00 · 2025-03-11 10:54:02 -04:00 · 1e6a7c0749
commit 1e6a7c0749
parent b5bc85e639
3 changed files with 22 additions and 2 deletions
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@ -234,6 +234,13 @@ class UserPermission(ModelAccessPermission):
        raise PermissionDenied()


+class IsSystemAdmin(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if not (request.user and request.user.is_authenticated):
+            return False
+        return request.user.is_superuser
+
+
 class IsSystemAdminOrAuditor(permissions.BasePermission):
    """
    Allows write access only to system admin users.
--- a/awx/api/views/instance_install_bundle.py
+++ b/awx/api/views/instance_install_bundle.py
@ -12,7 +12,7 @@ import re
 import asn1
 from awx.api import serializers
 from awx.api.generics import GenericAPIView, Response
-from awx.api.permissions import IsSystemAdminOrAuditor
+from awx.api.permissions import IsSystemAdmin
 from awx.main import models
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
@ -48,7 +48,7 @@ class InstanceInstallBundle(GenericAPIView):
    name = _('Install Bundle')
    model = models.Instance
    serializer_class = serializers.InstanceSerializer
-    permission_classes = (IsSystemAdminOrAuditor,)
+    permission_classes = (IsSystemAdmin,)

    def get(self, request, *args, **kwargs):
        instance_obj = self.get_object()
--- a/awx/main/tests/functional/api/test_instance.py
+++ b/awx/main/tests/functional/api/test_instance.py
@ -1,3 +1,5 @@
+from unittest import mock
+
 import pytest

 from awx.api.versioning import reverse
@ -5,6 +7,9 @@ from awx.main.models.activity_stream import ActivityStream
 from awx.main.models.ha import Instance

 from django.test.utils import override_settings
+from django.http import HttpResponse
+
+from rest_framework import status


 INSTANCE_KWARGS = dict(hostname='example-host', cpu=6, node_type='execution', memory=36000000000, cpu_capacity=6, mem_capacity=42)
@ -87,3 +92,11 @@ def test_custom_hostname_regex(post, admin_user):
                "peers": [],
            }
            post(url=url, user=admin_user, data=data, expect=value[1])
+
+
+def test_instance_install_bundle(get, admin_user, system_auditor):
+    instance = Instance.objects.create(**INSTANCE_KWARGS)
+    url = reverse('api:instance_install_bundle', kwargs={'pk': instance.pk})
+    with mock.patch('awx.api.views.instance_install_bundle.InstanceInstallBundle.get', return_value=HttpResponse({'test': 'data'}, status=status.HTTP_200_OK)):
+        get(url=url, user=admin_user, expect=200)
+        get(url=url, user=system_auditor, expect=403)