Merge pull request #4321 from AlanCoding/role_filter2

filter.py implementation of RBAC downselection
2026-01-11 18:09:57 -03:30 · 2016-12-08 12:45:07 -05:00 · 2016-12-08 12:45:07 -05:00 · 26adcf5972
commit 26adcf5972
parent 949ccd41b2 2092e67f6f
2 changed files with 21 additions and 1 deletions
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@ -19,6 +19,7 @@ from rest_framework.filters import BaseFilterBackend

 # Ansible Tower
 from awx.main.utils import get_type_for_model, to_python_boolean
+from awx.main.models.rbac import RoleAncestorEntry


 class MongoFilterBackend(BaseFilterBackend):
@ -158,6 +159,7 @@ class FieldLookupBackend(BaseFilterBackend):
            and_filters = []
            or_filters = []
            chain_filters = []
+            role_filters = []
            for key, values in request.query_params.lists():
                if key in self.RESERVED_NAMES:
                    continue
@ -174,6 +176,11 @@ class FieldLookupBackend(BaseFilterBackend):
                    key = key[:-5]
                    q_int = True

+                # RBAC filtering
+                if key == 'role_level':
+                    role_filters.append(values[0])
+                    continue
+
                # Custom chain__ and or__ filters, mutually exclusive (both can
                # precede not__).
                q_chain = False
@ -204,13 +211,21 @@ class FieldLookupBackend(BaseFilterBackend):
                        and_filters.append((q_not, new_key, value))

            # Now build Q objects for database query filter.
-            if and_filters or or_filters or chain_filters:
+            if and_filters or or_filters or chain_filters or role_filters:
                args = []
                for n, k, v in and_filters:
                    if n:
                        args.append(~Q(**{k:v}))
                    else:
                        args.append(Q(**{k:v}))
+                for role_name in role_filters:
+                    args.append(
+                        Q(pk__in=RoleAncestorEntry.objects.filter(
+                            ancestor__in=request.user.roles.all(),
+                            content_type_id=ContentType.objects.get_for_model(queryset.model).id,
+                            role_field=role_name
+                        ).values_list('object_id').distinct())
+                    )
                if or_filters:
                    q = Q()
                    for n,k,v in or_filters:
--- a/awx/api/templates/api/_list_common.md
+++ b/awx/api/templates/api/_list_common.md
@ -132,3 +132,8 @@ values.

 Lists (for the `in` lookup) may be specified as a comma-separated list of
 values.
+
+(_Added in Ansible Tower 3.1.0_) Filtering based on the requesting user's
+level of access by query string parameter.
+
+* `role_level`: Level of role to filter on, such as `admin_role`