Merge pull request #4495 from AlanCoding/ex_perm

Switch WFJT node permissions to execute and use levels

awx/main/access.py

@@ -1396,23 +1396,18 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
         return qs
 
     def can_use_prompted_resources(self, data):
-        if not self.check_related('credential', Credential, data):
-            return False
-        if not self.check_related('inventory', Inventory, data):
-            return False
-        return True
+        return (
+            self.check_related('credential', Credential, data, role_field='use_role') and
+            self.check_related('inventory', Inventory, data, role_field='use_role'))
 
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
             return True
-        if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True):
-            return False
-        if not self.check_related('unified_job_template', UnifiedJobTemplate, data):
-            return False
-        if not self.can_use_prompted_resources(data):
-            return False
-        return True
+        return (
+            self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True) and
+            self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role') and
+            self.can_use_prompted_resources(data))
 
     def wfjt_admin(self, obj):
         if not obj.workflow_job_template:

awx/main/tests/functional/test_rbac_workflow.py

@@ -51,17 +51,29 @@ class TestWorkflowJobTemplateAccess:
 @pytest.mark.django_db
 class TestWorkflowJobTemplateNodeAccess:
 
-    def test_jt_access_to_edit(self, wfjt_node, org_admin):
+    def test_no_jt_access_to_edit(self, wfjt_node, org_admin):
+        # without access to the related job template, admin to the WFJT can
+        # not change the prompted parameters
         access = WorkflowJobTemplateNodeAccess(org_admin)
         assert not access.can_change(wfjt_node, {'job_type': 'scan'})
 
     def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
         wfjt.admin_role.members.add(rando)
-        access = WorkflowJobTemplateAccess(rando)
+        access = WorkflowJobTemplateNodeAccess(rando)
         job_template.read_role.members.add(rando)
         assert not access.can_add({
-            'workflow_job_template': wfjt.pk,
-            'unified_job_template': job_template.pk})
+            'workflow_job_template': wfjt,
+            'unified_job_template': job_template})
+
+    def test_add_node_with_minimum_permissions(self, wfjt, job_template, inventory, rando):
+        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobTemplateNodeAccess(rando)
+        job_template.execute_role.members.add(rando)
+        inventory.use_role.members.add(rando)
+        assert access.can_add({
+            'workflow_job_template': wfjt,
+            'inventory': inventory,
+            'unified_job_template': job_template})
 
     def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
         wfjt = wfjt_node.workflow_job_template