From 28332cc5a5a6b189193150045ef9256043317b37 Mon Sep 17 00:00:00 2001 From: Michael DeHaan Date: Thu, 18 Apr 2013 22:11:00 -0400 Subject: [PATCH] Ability to post new job templates. The permissions checks on these need more tests for non-org-admin users. --- lib/main/models/__init__.py | 42 ++++++++++++++++++++++++++++++++++++- lib/main/tests/jobs.py | 19 +++++++++++++---- 2 files changed, 56 insertions(+), 5 deletions(-) diff --git a/lib/main/models/__init__.py b/lib/main/models/__init__.py index 29c6932211..634ee08648 100644 --- a/lib/main/models/__init__.py +++ b/lib/main/models/__init__.py @@ -746,7 +746,6 @@ class JobTemplate(CommonModel): ) # project has one default playbook but really should have a list of playbooks and flags ... - # ssh-agent bash # ssh-add ... < key entry # @@ -768,6 +767,47 @@ class JobTemplate(CommonModel): import lib.urls return reverse(lib.urls.views_JobTemplateDetail, args=(self.pk,)) + @classmethod + def can_user_add(cls, user, data): + ''' + a user can create a job template if they are a superuser, an org admin of any org + that the project is a member, or if they have user or team based permissions tying + the project to the inventory source for the given action. + + users who are able to create deploy jobs can also make check (dry run) jobs + ''' + + if user.is_superuser: + return True + project = Project.objects.get(pk=data['project']) + + admin_of_orgs = project.organizations.filter(admins__in = [ user ]) + if admin_of_orgs.count() > 0: + return True + job_type = data['job_type'] + + has_project_permission = False + user_permissions = Permission.objects.filter(inventory=inventory, project=project, user=user) + for perm in user_permissions: + if job_type == PERM_INVENTORY_CHECK: + # if you have run permissions, you can also create check jobs + has_project_permission = True + elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY: + # you need explicit run permissions to make run jobs + has_project_permission = True + team_permissions = Permission.objects.filter(inventory=inventory, project=project, team__users__in = [user]) + for perm in team_permissions: + if job_type == PERM_INVENTORY_CHECK: + # if you have run permissions, you can also create check jobs + has_project_permission = True + elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY: + # you need explicit run permissions to make run jobs + has_project_permission = True + + return has_project_permission + + + class Job(CommonModel): ''' diff --git a/lib/main/tests/jobs.py b/lib/main/tests/jobs.py index 9fe29853df..5246edbbb8 100644 --- a/lib/main/tests/jobs.py +++ b/lib/main/tests/jobs.py @@ -100,12 +100,23 @@ class JobsTest(BaseTest): ) - def test_get_list(self): + def test_mainline(self): - # no credentials == 401 + # job templates data = self.get('/api/v1/job_templates/', expect=401) data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials()) - #print data - self.assertTrue(data['count'], 99) + self.assertTrue(data['count'], 2) + + rec = dict( + name = 'job-foo', + credential = self.credential.pk, + inventory = self.inventory.pk, + project = self.project.pk, + job_type = PERM_INVENTORY_DEPLOY + ) + posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_normal_credentials()) + self.assertEquals(posted['url'], '/api/v1/job_templates/3/') + +