External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-04-10 12:39:22 -02:30
Code Issues Packages Projects Releases Wiki Activity

Check member of org when granting cred (#15353)

Browse Source 
A user needs to be a member of the org
in order to use a credential in that org.

We were incorrectly checking for "change"
permission of the org, instead of "member".

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
This commit is contained in:
Seth Foster
2024-07-10 21:46:26 -04:00
committed by GitHub
parent 6c7d29a982
commit 209e7e27b1
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awx/main/models/credential/__init__.py
View File

@@ -323,7 +323,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
def validate_role_assignment(self, actor, role_definition): def validate_role_assignment(self, actor, role_definition):
if self.organization: if self.organization:
if isinstance(actor, User): if isinstance(actor, User):
if actor.is_superuser or Organization.access_qs(actor, 'change').filter(id=self.organization.id).exists(): if actor.is_superuser or Organization.access_qs(actor, 'member').filter(id=self.organization.id).exists():
return return
if isinstance(actor, Team): if isinstance(actor, Team):
if actor.organization == self.organization: if actor.organization == self.organization:

4
awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
View File

@@ -128,7 +128,7 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
rd = RoleDefinition.objects.get(name="Credential Admin") rd = RoleDefinition.objects.get(name="Credential Admin")
credential.organization = organization credential.organization = organization
credential.save(update_fields=['organization']) credential.save(update_fields=['organization'])
assert credential.organization not in Organization.access_qs(rando, 'change') assert credential.organization not in Organization.access_qs(rando, 'member')
url = django_reverse('roleuserassignment-list') url = django_reverse('roleuserassignment-list')
resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400) resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400)
assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data) assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data)
@@ -139,7 +139,7 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201) post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
# can assign credential to org_admin # can assign credential to org_admin
assert credential.organization in Organization.access_qs(org_admin, 'change') assert credential.organization in Organization.access_qs(org_admin, 'member')
post(url=url, data={"user": org_admin.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201) post(url=url, data={"user": org_admin.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)