From 270a41443c0ab8c498eb383cd2db15d7db0d683f Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Thu, 2 Nov 2017 22:03:22 -0400 Subject: [PATCH] fix bug of system auditor 404 viewing job --- awx/main/access.py | 6 ------ awx/main/tests/functional/test_rbac_job.py | 16 ++++++++++++---- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index dfdaebd346..aa34551576 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1357,12 +1357,6 @@ class JobAccess(BaseAccess): return True return False - @check_superuser - def can_read(self, obj): - if obj.job_template and self.user in obj.job_template.read_role: - return True - return self.org_access(obj, role_types=['auditor_role', 'admin_role']) - def can_add(self, data, validate_license=True): if validate_license: self.check_license() diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py index d721f2b98e..c2a87063d7 100644 --- a/awx/main/tests/functional/test_rbac_job.py +++ b/awx/main/tests/functional/test_rbac_job.py @@ -51,12 +51,20 @@ def proj_updater(project, rando): return rando -# Read permissions testing +# Check that superuser & system auditors can see fully orphaned jobs @pytest.mark.django_db -def test_superuser_sees_orphans(normal_job, admin_user): +@pytest.mark.parametrize("superuser", [True, False]) +def test_superuser_superauditor_sees_orphans(normal_job, superuser, admin_user, system_auditor): + if superuser: + u = admin_user + else: + u = system_auditor normal_job.job_template = None - access = JobAccess(admin_user) - assert access.can_read(normal_job) + normal_job.project = None + normal_job.inventory = None + access = JobAccess(u) + assert access.can_read(normal_job), "User sys auditor: {}, sys admin: {}".format( + u.is_system_auditor, u.is_superuser) @pytest.mark.django_db