mirror of
https://github.com/ansible/awx.git
synced 2026-03-07 19:51:08 -03:30
active flag removal in migration functions
This commit is contained in:
Akita Noek
@@ -199,16 +199,16 @@ class UserAccess(BaseAccess):
|
|||||||
model = User
|
model = User
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(is_active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.filter(active=True).exists():
|
if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.all().exists():
|
||||||
return qs
|
return qs
|
||||||
return qs.filter(
|
return qs.filter(
|
||||||
Q(pk=self.user.pk) |
|
Q(pk=self.user.pk) |
|
||||||
Q(organizations__in=self.user.admin_of_organizations.filter(active=True)) |
|
Q(organizations__in=self.user.admin_of_organizations) |
|
||||||
Q(organizations__in=self.user.organizations.filter(active=True)) |
|
Q(organizations__in=self.user.organizations) |
|
||||||
Q(teams__in=self.user.teams.filter(active=True))
|
Q(teams__in=self.user.teams)
|
||||||
).distinct()
|
).distinct()
|
||||||
|
|
||||||
def can_add(self, data):
|
def can_add(self, data):
|
||||||
@@ -216,7 +216,7 @@ class UserAccess(BaseAccess):
|
|||||||
if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
|
if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
|
||||||
return False
|
return False
|
||||||
return bool(self.user.is_superuser or
|
return bool(self.user.is_superuser or
|
||||||
self.user.admin_of_organizations.filter(active=True).exists())
|
self.user.admin_of_organizations.exists())
|
||||||
|
|
||||||
def can_change(self, obj, data):
|
def can_change(self, obj, data):
|
||||||
if data is not None and 'is_superuser' in data:
|
if data is not None and 'is_superuser' in data:
|
||||||
@@ -231,18 +231,18 @@ class UserAccess(BaseAccess):
|
|||||||
# Admin implies changing all user fields.
|
# Admin implies changing all user fields.
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return True
|
return True
|
||||||
return bool(obj.organizations.filter(active=True, deprecated_admins__in=[self.user]).exists())
|
return bool(obj.organizations.filter(deprecated_admins__in=[self.user]).exists())
|
||||||
|
|
||||||
def can_delete(self, obj):
|
def can_delete(self, obj):
|
||||||
if obj == self.user:
|
if obj == self.user:
|
||||||
# cannot delete yourself
|
# cannot delete yourself
|
||||||
return False
|
return False
|
||||||
super_users = User.objects.filter(is_active=True, is_superuser=True)
|
super_users = User.objects.filter(is_superuser=True)
|
||||||
if obj.is_superuser and super_users.count() == 1:
|
if obj.is_superuser and super_users.count() == 1:
|
||||||
# cannot delete the last active superuser
|
# cannot delete the last active superuser
|
||||||
return False
|
return False
|
||||||
return bool(self.user.is_superuser or
|
return bool(self.user.is_superuser or
|
||||||
obj.organizations.filter(active=True, deprecated_admins__in=[self.user]).exists())
|
obj.organizations.filter(deprecated_admins__in=[self.user]).exists())
|
||||||
|
|
||||||
class OrganizationAccess(BaseAccess):
|
class OrganizationAccess(BaseAccess):
|
||||||
'''
|
'''
|
||||||
@@ -257,7 +257,7 @@ class OrganizationAccess(BaseAccess):
|
|||||||
model = Organization
|
model = Organization
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by')
|
qs = qs.select_related('created_by', 'modified_by')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
@@ -295,25 +295,21 @@ class InventoryAccess(BaseAccess):
|
|||||||
|
|
||||||
def get_queryset(self, allowed=None, ad_hoc=None):
|
def get_queryset(self, allowed=None, ad_hoc=None):
|
||||||
allowed = allowed or PERMISSION_TYPES_ALLOWING_INVENTORY_READ
|
allowed = allowed or PERMISSION_TYPES_ALLOWING_INVENTORY_READ
|
||||||
qs = Inventory.objects.filter(active=True).distinct()
|
qs = Inventory.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'organization')
|
qs = qs.select_related('created_by', 'modified_by', 'organization')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
qs = qs.filter(organization__active=True)
|
|
||||||
admin_of = qs.filter(organization__deprecated_admins__in=[self.user]).distinct()
|
admin_of = qs.filter(organization__deprecated_admins__in=[self.user]).distinct()
|
||||||
has_user_kw = dict(
|
has_user_kw = dict(
|
||||||
permissions__user__in=[self.user],
|
permissions__user__in=[self.user],
|
||||||
permissions__permission_type__in=allowed,
|
permissions__permission_type__in=allowed,
|
||||||
permissions__active=True,
|
|
||||||
)
|
)
|
||||||
if ad_hoc is not None:
|
if ad_hoc is not None:
|
||||||
has_user_kw['permissions__run_ad_hoc_commands'] = ad_hoc
|
has_user_kw['permissions__run_ad_hoc_commands'] = ad_hoc
|
||||||
has_user_perms = qs.filter(**has_user_kw).distinct()
|
has_user_perms = qs.filter(**has_user_kw).distinct()
|
||||||
has_team_kw = dict(
|
has_team_kw = dict(
|
||||||
permissions__team__deprecated_users__in=[self.user],
|
permissions__team__deprecated_users__in=[self.user],
|
||||||
permissions__team__active=True,
|
|
||||||
permissions__permission_type__in=allowed,
|
permissions__permission_type__in=allowed,
|
||||||
permissions__active=True,
|
|
||||||
)
|
)
|
||||||
if ad_hoc is not None:
|
if ad_hoc is not None:
|
||||||
has_team_kw['permissions__run_ad_hoc_commands'] = ad_hoc
|
has_team_kw['permissions__run_ad_hoc_commands'] = ad_hoc
|
||||||
@@ -330,7 +326,7 @@ class InventoryAccess(BaseAccess):
|
|||||||
# If no data is specified, just checking for generic add permission?
|
# If no data is specified, just checking for generic add permission?
|
||||||
if not data:
|
if not data:
|
||||||
return bool(self.user.is_superuser or
|
return bool(self.user.is_superuser or
|
||||||
self.user.admin_of_organizations.filter(active=True).exists())
|
self.user.admin_of_organizations.exists())
|
||||||
# Otherwise, verify that the user has access to change the parent
|
# Otherwise, verify that the user has access to change the parent
|
||||||
# organization of this inventory.
|
# organization of this inventory.
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
@@ -379,7 +375,7 @@ class HostAccess(BaseAccess):
|
|||||||
model = Host
|
model = Host
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'inventory',
|
qs = qs.select_related('created_by', 'modified_by', 'inventory',
|
||||||
'last_job__job_template',
|
'last_job__job_template',
|
||||||
'last_job_host_summary__job')
|
'last_job_host_summary__job')
|
||||||
@@ -435,7 +431,7 @@ class GroupAccess(BaseAccess):
|
|||||||
model = Group
|
model = Group
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'inventory')
|
qs = qs.select_related('created_by', 'modified_by', 'inventory')
|
||||||
qs = qs.prefetch_related('parents', 'children', 'inventory_source')
|
qs = qs.prefetch_related('parents', 'children', 'inventory_source')
|
||||||
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
|
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
|
||||||
@@ -466,9 +462,6 @@ class GroupAccess(BaseAccess):
|
|||||||
if not super(GroupAccess, self).can_attach(obj, sub_obj, relationship,
|
if not super(GroupAccess, self).can_attach(obj, sub_obj, relationship,
|
||||||
data, skip_sub_obj_read_check):
|
data, skip_sub_obj_read_check):
|
||||||
return False
|
return False
|
||||||
# Don't allow attaching if the sub obj is not active
|
|
||||||
if not obj.active:
|
|
||||||
return False
|
|
||||||
# Prevent assignments between different inventories.
|
# Prevent assignments between different inventories.
|
||||||
if obj.inventory != sub_obj.inventory:
|
if obj.inventory != sub_obj.inventory:
|
||||||
raise ParseError('Cannot associate two items from different inventories')
|
raise ParseError('Cannot associate two items from different inventories')
|
||||||
@@ -495,7 +488,7 @@ class InventorySourceAccess(BaseAccess):
|
|||||||
model = InventorySource
|
model = InventorySource
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'group', 'inventory')
|
qs = qs.select_related('created_by', 'modified_by', 'group', 'inventory')
|
||||||
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
|
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
|
||||||
return qs.filter(Q(inventory_id__in=inventory_ids) |
|
return qs.filter(Q(inventory_id__in=inventory_ids) |
|
||||||
@@ -535,7 +528,7 @@ class InventoryUpdateAccess(BaseAccess):
|
|||||||
model = InventoryUpdate
|
model = InventoryUpdate
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = InventoryUpdate.objects.filter(active=True).distinct()
|
qs = InventoryUpdate.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'inventory_source__group',
|
qs = qs.select_related('created_by', 'modified_by', 'inventory_source__group',
|
||||||
'inventory_source__inventory')
|
'inventory_source__inventory')
|
||||||
inventory_sources_qs = self.user.get_queryset(InventorySource)
|
inventory_sources_qs = self.user.get_queryset(InventorySource)
|
||||||
@@ -569,19 +562,19 @@ class CredentialAccess(BaseAccess):
|
|||||||
# Create a base queryset.
|
# Create a base queryset.
|
||||||
# If the user is a superuser, and therefore can see everything, this
|
# If the user is a superuser, and therefore can see everything, this
|
||||||
# is also sufficient, and we are done.
|
# is also sufficient, and we are done.
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'user', 'team')
|
qs = qs.select_related('created_by', 'modified_by', 'user', 'team')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
|
|
||||||
# Get the list of organizations for which the user is an admin
|
# Get the list of organizations for which the user is an admin
|
||||||
orgs_as_admin_ids = set(self.user.admin_of_organizations.filter(active=True).values_list('id', flat=True))
|
orgs_as_admin_ids = set(self.user.admin_of_organizations.values_list('id', flat=True))
|
||||||
return qs.filter(
|
return qs.filter(
|
||||||
Q(user=self.user) |
|
Q(user=self.user) |
|
||||||
Q(user__organizations__id__in=orgs_as_admin_ids) |
|
Q(user__organizations__id__in=orgs_as_admin_ids) |
|
||||||
Q(user__admin_of_organizations__id__in=orgs_as_admin_ids) |
|
Q(user__admin_of_organizations__id__in=orgs_as_admin_ids) |
|
||||||
Q(team__organization__id__in=orgs_as_admin_ids, team__active=True) |
|
Q(team__organization__id__in=orgs_as_admin_ids) |
|
||||||
Q(team__deprecated_users__in=[self.user], team__active=True)
|
Q(team__deprecated_users__in=[self.user])
|
||||||
)
|
)
|
||||||
|
|
||||||
def can_add(self, data):
|
def can_add(self, data):
|
||||||
@@ -607,12 +600,12 @@ class CredentialAccess(BaseAccess):
|
|||||||
if obj.user:
|
if obj.user:
|
||||||
if self.user == obj.user:
|
if self.user == obj.user:
|
||||||
return True
|
return True
|
||||||
if obj.user.organizations.filter(active=True, deprecated_admins__in=[self.user]).exists():
|
if obj.user.organizations.filter(deprecated_admins__in=[self.user]).exists():
|
||||||
return True
|
return True
|
||||||
if obj.user.admin_of_organizations.filter(active=True, deprecated_admins__in=[self.user]).exists():
|
if obj.user.admin_of_organizations.filter(deprecated_admins__in=[self.user]).exists():
|
||||||
return True
|
return True
|
||||||
if obj.team:
|
if obj.team:
|
||||||
if self.user in obj.team.organization.deprecated_admins.filter(is_active=True):
|
if self.user in obj.team.organization.deprecated_admins.all():
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@@ -637,12 +630,12 @@ class TeamAccess(BaseAccess):
|
|||||||
model = Team
|
model = Team
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'organization')
|
qs = qs.select_related('created_by', 'modified_by', 'organization')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
return qs.filter(
|
return qs.filter(
|
||||||
Q(organization__deprecated_admins__in=[self.user], organization__active=True) |
|
Q(organization__deprecated_admins__in=[self.user]) |
|
||||||
Q(deprecated_users__in=[self.user])
|
Q(deprecated_users__in=[self.user])
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -689,26 +682,24 @@ class ProjectAccess(BaseAccess):
|
|||||||
model = Project
|
model = Project
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = Project.objects.filter(active=True).distinct()
|
qs = Project.objects.distinct()
|
||||||
qs = qs.select_related('modified_by', 'credential', 'current_job', 'last_job')
|
qs = qs.select_related('modified_by', 'credential', 'current_job', 'last_job')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
team_ids = set(Team.objects.filter(deprecated_users__in=[self.user]).values_list('id', flat=True))
|
team_ids = set(Team.objects.filter(deprecated_users__in=[self.user]).values_list('id', flat=True))
|
||||||
qs = qs.filter(Q(created_by=self.user, deprecated_organizations__isnull=True) |
|
qs = qs.filter(Q(created_by=self.user, deprecated_organizations__isnull=True) |
|
||||||
Q(deprecated_organizations__deprecated_admins__in=[self.user], deprecated_organizations__active=True) |
|
Q(deprecated_organizations__deprecated_admins__in=[self.user]) |
|
||||||
Q(deprecated_organizations__deprecated_users__in=[self.user], deprecated_organizations__active=True) |
|
Q(deprecated_organizations__deprecated_users__in=[self.user]) |
|
||||||
Q(teams__in=team_ids))
|
Q(teams__in=team_ids))
|
||||||
allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
|
allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
|
||||||
allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
|
allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
|
||||||
|
|
||||||
deploy_permissions_ids = set(Permission.objects.filter(
|
deploy_permissions_ids = set(Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team_id__in=team_ids),
|
Q(user=self.user) | Q(team_id__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=allowed_deploy,
|
permission_type__in=allowed_deploy,
|
||||||
).values_list('id', flat=True))
|
).values_list('id', flat=True))
|
||||||
check_permissions_ids = set(Permission.objects.filter(
|
check_permissions_ids = set(Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team_id__in=team_ids),
|
Q(user=self.user) | Q(team_id__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=allowed_check,
|
permission_type__in=allowed_check,
|
||||||
).values_list('id', flat=True))
|
).values_list('id', flat=True))
|
||||||
|
|
||||||
@@ -719,16 +710,16 @@ class ProjectAccess(BaseAccess):
|
|||||||
def can_add(self, data):
|
def can_add(self, data):
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return True
|
return True
|
||||||
if self.user.admin_of_organizations.filter(active=True).exists():
|
if self.user.admin_of_organizations.exists():
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def can_change(self, obj, data):
|
def can_change(self, obj, data):
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return True
|
return True
|
||||||
if obj.created_by == self.user and not obj.deprecated_organizations.filter(active=True).count():
|
if obj.created_by == self.user and not obj.deprecated_organizations.count():
|
||||||
return True
|
return True
|
||||||
if obj.deprecated_organizations.filter(active=True, deprecated_admins__in=[self.user]).exists():
|
if obj.deprecated_organizations.filter(deprecated_admins__in=[self.user]).exists():
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@@ -748,7 +739,7 @@ class ProjectUpdateAccess(BaseAccess):
|
|||||||
model = ProjectUpdate
|
model = ProjectUpdate
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = ProjectUpdate.objects.filter(active=True).distinct()
|
qs = ProjectUpdate.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'project')
|
qs = qs.select_related('created_by', 'modified_by', 'project')
|
||||||
project_ids = set(self.user.get_queryset(Project).values_list('id', flat=True))
|
project_ids = set(self.user.get_queryset(Project).values_list('id', flat=True))
|
||||||
return qs.filter(project_id__in=project_ids)
|
return qs.filter(project_id__in=project_ids)
|
||||||
@@ -776,18 +767,18 @@ class PermissionAccess(BaseAccess):
|
|||||||
model = Permission
|
model = Permission
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'user', 'team', 'inventory',
|
qs = qs.select_related('created_by', 'modified_by', 'user', 'team', 'inventory',
|
||||||
'project')
|
'project')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
orgs_as_admin_ids = set(self.user.admin_of_organizations.filter(active=True).values_list('id', flat=True))
|
orgs_as_admin_ids = set(self.user.admin_of_organizations.values_list('id', flat=True))
|
||||||
return qs.filter(
|
return qs.filter(
|
||||||
Q(user__organizations__in=orgs_as_admin_ids) |
|
Q(user__organizations__in=orgs_as_admin_ids) |
|
||||||
Q(user__admin_of_organizations__in=orgs_as_admin_ids) |
|
Q(user__admin_of_organizations__in=orgs_as_admin_ids) |
|
||||||
Q(team__organization__in=orgs_as_admin_ids, team__active=True) |
|
Q(team__organization__in=orgs_as_admin_ids) |
|
||||||
Q(user=self.user) |
|
Q(user=self.user) |
|
||||||
Q(team__deprecated_users__in=[self.user], team__active=True)
|
Q(team__deprecated_users__in=[self.user])
|
||||||
)
|
)
|
||||||
|
|
||||||
def can_add(self, data):
|
def can_add(self, data):
|
||||||
@@ -868,7 +859,7 @@ class JobTemplateAccess(BaseAccess):
|
|||||||
model = JobTemplate
|
model = JobTemplate
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'inventory', 'project',
|
qs = qs.select_related('created_by', 'modified_by', 'inventory', 'project',
|
||||||
'credential', 'cloud_credential', 'next_schedule')
|
'credential', 'cloud_credential', 'next_schedule')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
@@ -892,12 +883,10 @@ class JobTemplateAccess(BaseAccess):
|
|||||||
# TODO: I think the below queries can be combined
|
# TODO: I think the below queries can be combined
|
||||||
deploy_permissions_ids = Permission.objects.filter(
|
deploy_permissions_ids = Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team_id__in=team_ids),
|
Q(user=self.user) | Q(team_id__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=allowed_deploy,
|
permission_type__in=allowed_deploy,
|
||||||
)
|
)
|
||||||
check_permissions_ids = Permission.objects.filter(
|
check_permissions_ids = Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team_id__in=team_ids),
|
Q(user=self.user) | Q(team_id__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=allowed_check,
|
permission_type__in=allowed_check,
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -986,7 +975,6 @@ class JobTemplateAccess(BaseAccess):
|
|||||||
Q(user=self.user) | Q(team__deprecated_users__in=[self.user]),
|
Q(user=self.user) | Q(team__deprecated_users__in=[self.user]),
|
||||||
inventory=inventory,
|
inventory=inventory,
|
||||||
project=project,
|
project=project,
|
||||||
active=True,
|
|
||||||
#permission_type__in=[PERM_INVENTORY_CHECK, PERM_INVENTORY_DEPLOY],
|
#permission_type__in=[PERM_INVENTORY_CHECK, PERM_INVENTORY_DEPLOY],
|
||||||
permission_type=PERM_JOBTEMPLATE_CREATE,
|
permission_type=PERM_JOBTEMPLATE_CREATE,
|
||||||
)
|
)
|
||||||
@@ -1044,7 +1032,6 @@ class JobTemplateAccess(BaseAccess):
|
|||||||
Q(user=self.user) | Q(team__deprecated_users__in=[self.user]),
|
Q(user=self.user) | Q(team__deprecated_users__in=[self.user]),
|
||||||
inventory=obj.inventory,
|
inventory=obj.inventory,
|
||||||
project=obj.project,
|
project=obj.project,
|
||||||
active=True,
|
|
||||||
permission_type__in=[PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_CHECK, PERM_INVENTORY_DEPLOY],
|
permission_type__in=[PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_CHECK, PERM_INVENTORY_DEPLOY],
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -1086,7 +1073,7 @@ class JobAccess(BaseAccess):
|
|||||||
model = Job
|
model = Job
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'job_template', 'inventory',
|
qs = qs.select_related('created_by', 'modified_by', 'job_template', 'inventory',
|
||||||
'project', 'credential', 'cloud_credential', 'job_template')
|
'project', 'credential', 'cloud_credential', 'job_template')
|
||||||
qs = qs.prefetch_related('unified_job_template')
|
qs = qs.prefetch_related('unified_job_template')
|
||||||
@@ -1108,12 +1095,10 @@ class JobAccess(BaseAccess):
|
|||||||
# TODO: I think the below queries can be combined
|
# TODO: I think the below queries can be combined
|
||||||
deploy_permissions_ids = Permission.objects.filter(
|
deploy_permissions_ids = Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team__in=team_ids),
|
Q(user=self.user) | Q(team__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=allowed_deploy,
|
permission_type__in=allowed_deploy,
|
||||||
)
|
)
|
||||||
check_permissions_ids = Permission.objects.filter(
|
check_permissions_ids = Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team__in=team_ids),
|
Q(user=self.user) | Q(team__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=allowed_check,
|
permission_type__in=allowed_check,
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -1212,18 +1197,17 @@ class AdHocCommandAccess(BaseAccess):
|
|||||||
model = AdHocCommand
|
model = AdHocCommand
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by', 'inventory',
|
qs = qs.select_related('created_by', 'modified_by', 'inventory',
|
||||||
'credential')
|
'credential')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
|
|
||||||
credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
|
credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
|
||||||
team_ids = set(Team.objects.filter(active=True, deprecated_users__in=[self.user]).values_list('id', flat=True))
|
team_ids = set(Team.objects.filter(deprecated_users__in=[self.user]).values_list('id', flat=True))
|
||||||
|
|
||||||
permission_ids = set(Permission.objects.filter(
|
permission_ids = set(Permission.objects.filter(
|
||||||
Q(user=self.user) | Q(team__in=team_ids),
|
Q(user=self.user) | Q(team__in=team_ids),
|
||||||
active=True,
|
|
||||||
permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
|
permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
|
||||||
run_ad_hoc_commands=True,
|
run_ad_hoc_commands=True,
|
||||||
).values_list('id', flat=True))
|
).values_list('id', flat=True))
|
||||||
@@ -1247,7 +1231,7 @@ class AdHocCommandAccess(BaseAccess):
|
|||||||
# If a credential is provided, the user should have read access to it.
|
# If a credential is provided, the user should have read access to it.
|
||||||
credential_pk = get_pk_from_dict(data, 'credential')
|
credential_pk = get_pk_from_dict(data, 'credential')
|
||||||
if credential_pk:
|
if credential_pk:
|
||||||
credential = get_object_or_400(Credential, pk=credential_pk, active=True)
|
credential = get_object_or_400(Credential, pk=credential_pk)
|
||||||
if not check_user_access(self.user, Credential, 'read', credential):
|
if not check_user_access(self.user, Credential, 'read', credential):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@@ -1255,7 +1239,7 @@ class AdHocCommandAccess(BaseAccess):
|
|||||||
# given inventory.
|
# given inventory.
|
||||||
inventory_pk = get_pk_from_dict(data, 'inventory')
|
inventory_pk = get_pk_from_dict(data, 'inventory')
|
||||||
if inventory_pk:
|
if inventory_pk:
|
||||||
inventory = get_object_or_400(Inventory, pk=inventory_pk, active=True)
|
inventory = get_object_or_400(Inventory, pk=inventory_pk)
|
||||||
if not check_user_access(self.user, Inventory, 'run_ad_hoc_commands', inventory):
|
if not check_user_access(self.user, Inventory, 'run_ad_hoc_commands', inventory):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
@@ -1375,7 +1359,7 @@ class UnifiedJobTemplateAccess(BaseAccess):
|
|||||||
model = UnifiedJobTemplate
|
model = UnifiedJobTemplate
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
project_qs = self.user.get_queryset(Project).filter(scm_type__in=[s[0] for s in Project.SCM_TYPE_CHOICES])
|
project_qs = self.user.get_queryset(Project).filter(scm_type__in=[s[0] for s in Project.SCM_TYPE_CHOICES])
|
||||||
inventory_source_qs = self.user.get_queryset(InventorySource).filter(source__in=CLOUD_INVENTORY_SOURCES)
|
inventory_source_qs = self.user.get_queryset(InventorySource).filter(source__in=CLOUD_INVENTORY_SOURCES)
|
||||||
job_template_qs = self.user.get_queryset(JobTemplate)
|
job_template_qs = self.user.get_queryset(JobTemplate)
|
||||||
@@ -1405,7 +1389,7 @@ class UnifiedJobAccess(BaseAccess):
|
|||||||
model = UnifiedJob
|
model = UnifiedJob
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
project_update_qs = self.user.get_queryset(ProjectUpdate)
|
project_update_qs = self.user.get_queryset(ProjectUpdate)
|
||||||
inventory_update_qs = self.user.get_queryset(InventoryUpdate).filter(source__in=CLOUD_INVENTORY_SOURCES)
|
inventory_update_qs = self.user.get_queryset(InventoryUpdate).filter(source__in=CLOUD_INVENTORY_SOURCES)
|
||||||
job_qs = self.user.get_queryset(Job)
|
job_qs = self.user.get_queryset(Job)
|
||||||
@@ -1442,7 +1426,7 @@ class ScheduleAccess(BaseAccess):
|
|||||||
model = Schedule
|
model = Schedule
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
qs = qs.select_related('created_by', 'modified_by')
|
qs = qs.select_related('created_by', 'modified_by')
|
||||||
qs = qs.prefetch_related('unified_job_template')
|
qs = qs.prefetch_related('unified_job_template')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
@@ -1614,7 +1598,7 @@ class CustomInventoryScriptAccess(BaseAccess):
|
|||||||
model = CustomInventoryScript
|
model = CustomInventoryScript
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
qs = self.model.objects.filter(active=True).distinct()
|
qs = self.model.objects.distinct()
|
||||||
if not self.user.is_superuser:
|
if not self.user.is_superuser:
|
||||||
qs = qs.filter(Q(organization__deprecated_admins__in=[self.user]) | Q(organization__deprecated_users__in=[self.user]))
|
qs = qs.filter(Q(organization__deprecated_admins__in=[self.user]) | Q(organization__deprecated_users__in=[self.user]))
|
||||||
return qs
|
return qs
|
||||||
@@ -1622,8 +1606,6 @@ class CustomInventoryScriptAccess(BaseAccess):
|
|||||||
def can_read(self, obj):
|
def can_read(self, obj):
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return True
|
return True
|
||||||
if not obj.active:
|
|
||||||
return False
|
|
||||||
return bool(obj.organization in self.user.organizations.all() or obj.organization in self.user.admin_of_organizations.all())
|
return bool(obj.organization in self.user.organizations.all() or obj.organization in self.user.admin_of_organizations.all())
|
||||||
|
|
||||||
def can_add(self, data):
|
def can_add(self, data):
|
||||||
|
|||||||
@@ -73,7 +73,7 @@ def migrate_inventory(apps, schema_editor):
|
|||||||
|
|
||||||
for inventory in Inventory.objects.all():
|
for inventory in Inventory.objects.all():
|
||||||
teams, users = [], []
|
teams, users = [], []
|
||||||
for perm in Permission.objects.filter(inventory=inventory, active=True):
|
for perm in Permission.objects.filter(inventory=inventory):
|
||||||
role = None
|
role = None
|
||||||
execrole = None
|
execrole = None
|
||||||
if perm.permission_type == 'admin':
|
if perm.permission_type == 'admin':
|
||||||
@@ -186,7 +186,7 @@ def migrate_projects(apps, schema_editor):
|
|||||||
project.member_role.members.add(user)
|
project.member_role.members.add(user)
|
||||||
migrations[project.name]['users'].add(user)
|
migrations[project.name]['users'].add(user)
|
||||||
|
|
||||||
for perm in Permission.objects.filter(project=project, active=True):
|
for perm in Permission.objects.filter(project=project):
|
||||||
# All perms at this level just imply a user or team can read
|
# All perms at this level just imply a user or team can read
|
||||||
if perm.team:
|
if perm.team:
|
||||||
perm.team.member_role.children.add(project.member_role)
|
perm.team.member_role.children.add(project.member_role)
|
||||||
@@ -253,7 +253,6 @@ def migrate_job_templates(apps, schema_editor):
|
|||||||
permission = Permission.objects.filter(
|
permission = Permission.objects.filter(
|
||||||
inventory=jt.inventory,
|
inventory=jt.inventory,
|
||||||
project=jt.project,
|
project=jt.project,
|
||||||
active=True,
|
|
||||||
permission_type__in=['create', 'check', 'run'] if jt.job_type == 'check' else ['create', 'run'],
|
permission_type__in=['create', 'check', 'run'] if jt.job_type == 'check' else ['create', 'run'],
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user