Ability to post new job templates. The permissions checks on these need more tests for non-org-admin users.

2026-02-26 23:46:05 -03:30 · 2013-04-18 22:11:00 -04:00
parent 6bb4f4f255
commit 28332cc5a5
2 changed files with 56 additions and 5 deletions
--- a/lib/main/models/init.py
+++ b/lib/main/models/init.py
@@ -746,7 +746,6 @@ class JobTemplate(CommonModel):
    )

    # project has one default playbook but really should have a list of playbooks and flags ...
-
    # ssh-agent bash
    # ssh-add ... < key entry
    #
@@ -768,6 +767,47 @@ class JobTemplate(CommonModel):
        import lib.urls
        return reverse(lib.urls.views_JobTemplateDetail, args=(self.pk,))

+    @classmethod
+    def can_user_add(cls, user, data):
+        ''' 
+        a user can create a job template if they are a superuser, an org admin of any org
+        that the project is a member, or if they have user or team based permissions tying
+        the project to the inventory source for the given action.
+   
+        users who are able to create deploy jobs can also make check (dry run) jobs
+        '''
+
+        if user.is_superuser:
+            return True
+        project = Project.objects.get(pk=data['project'])
+
+        admin_of_orgs = project.organizations.filter(admins__in = [ user ])
+        if admin_of_orgs.count() > 0:
+            return True
+        job_type = data['job_type']
+
+        has_project_permission = False
+        user_permissions = Permission.objects.filter(inventory=inventory, project=project, user=user)
+        for perm in user_permissions:
+            if job_type == PERM_INVENTORY_CHECK:
+                # if you have run permissions, you can also create check jobs
+                has_project_permission = True
+            elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY:
+                # you need explicit run permissions to make run jobs
+                has_project_permission = True
+        team_permissions = Permission.objects.filter(inventory=inventory, project=project, team__users__in = [user])
+        for perm in team_permissions:
+            if job_type == PERM_INVENTORY_CHECK:
+                # if you have run permissions, you can also create check jobs
+                has_project_permission = True
+            elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY:
+                # you need explicit run permissions to make run jobs
+                has_project_permission = True
+
+        return has_project_permission
+
+
+

 class Job(CommonModel):
    '''
--- a/lib/main/tests/jobs.py
+++ b/lib/main/tests/jobs.py
@@ -100,12 +100,23 @@ class JobsTest(BaseTest):
        )        


-    def test_get_list(self):
+    def test_mainline(self):

-        # no credentials == 401
+        # job templates
        data = self.get('/api/v1/job_templates/', expect=401)
        data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials())
-        #print data
-        self.assertTrue(data['count'], 99)
+        self.assertTrue(data['count'], 2)
+        
+        rec = dict(
+            name         = 'job-foo', 
+            credential   = self.credential.pk, 
+            inventory    = self.inventory.pk, 
+            project      = self.project.pk,
+            job_type     = PERM_INVENTORY_DEPLOY
+        )
+        posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_normal_credentials())
+        self.assertEquals(posted['url'], '/api/v1/job_templates/3/')
+
+