External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 14:57:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

Ability to post new job templates. The permissions checks on these need more tests for non-org-admin users.

Browse Source
This commit is contained in:
Michael DeHaan
2013-04-18 22:11:00 -04:00
parent 6bb4f4f255
commit 28332cc5a5
2 changed files with 56 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
lib/main/models/__init__.py
View File

@@ -746,7 +746,6 @@ class JobTemplate(CommonModel):
) )
# project has one default playbook but really should have a list of playbooks and flags ... # project has one default playbook but really should have a list of playbooks and flags ...
# ssh-agent bash # ssh-agent bash
# ssh-add ... < key entry # ssh-add ... < key entry
# #
@@ -768,6 +767,47 @@ class JobTemplate(CommonModel):
import lib.urls import lib.urls
return reverse(lib.urls.views_JobTemplateDetail, args=(self.pk,)) return reverse(lib.urls.views_JobTemplateDetail, args=(self.pk,))
@classmethod
def can_user_add(cls, user, data):
'''
a user can create a job template if they are a superuser, an org admin of any org
that the project is a member, or if they have user or team based permissions tying
the project to the inventory source for the given action.
users who are able to create deploy jobs can also make check (dry run) jobs
'''
if user.is_superuser:
return True
project = Project.objects.get(pk=data['project'])
admin_of_orgs = project.organizations.filter(admins__in = [ user ])
if admin_of_orgs.count() > 0:
return True
job_type = data['job_type']
has_project_permission = False
user_permissions = Permission.objects.filter(inventory=inventory, project=project, user=user)
for perm in user_permissions:
if job_type == PERM_INVENTORY_CHECK:
# if you have run permissions, you can also create check jobs
has_project_permission = True
elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY:
# you need explicit run permissions to make run jobs
has_project_permission = True
team_permissions = Permission.objects.filter(inventory=inventory, project=project, team__users__in = [user])
for perm in team_permissions:
if job_type == PERM_INVENTORY_CHECK:
# if you have run permissions, you can also create check jobs
has_project_permission = True
elif job_type == PERM_INVENTORY_DEPLOY and perm.job_type == PERM_INVENTORY_DEPLOY:
# you need explicit run permissions to make run jobs
has_project_permission = True
return has_project_permission
class Job(CommonModel): class Job(CommonModel):
''' '''

19
lib/main/tests/jobs.py
View File

@@ -100,12 +100,23 @@ class JobsTest(BaseTest):
) )
def test_get_list(self): def test_mainline(self):
# no credentials == 401 # job templates
data = self.get('/api/v1/job_templates/', expect=401) data = self.get('/api/v1/job_templates/', expect=401)
data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials()) data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials())
#print data self.assertTrue(data['count'], 2)
self.assertTrue(data['count'], 99)
rec = dict(
name = 'job-foo',
credential = self.credential.pk,
inventory = self.inventory.pk,
project = self.project.pk,
job_type = PERM_INVENTORY_DEPLOY
)
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_normal_credentials())
self.assertEquals(posted['url'], '/api/v1/job_templates/3/')