Add more RBAC for approval nodes

2026-03-09 05:29:26 -02:30 · 2019-08-01 09:10:02 -04:00
parent 630f428d77
commit 296b4e830b
5 changed files with 51 additions and 24 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -3410,9 +3410,16 @@ class WorkflowApprovalViewSerializer(UnifiedJobSerializer):

 class WorkflowApprovalSerializer(UnifiedJobSerializer):

+    can_approve_or_deny = serializers.SerializerMethodField()
+
    class Meta:
        model = WorkflowApproval
-        fields = (['*', '-controller_node', '-execution_node',])
+        fields = (['*', '-controller_node', '-execution_node', 'can_approve_or_deny'])
+
+    def get_can_approve_or_deny(self, obj):
+        request = self.context.get('request', None)
+        allowed = request.user.can_access(WorkflowApproval, 'approve_or_deny', obj)
+        return allowed is True and obj.status == 'pending'

    def get_related(self, obj):
        res = super(WorkflowApprovalSerializer, self).get_related(obj)
@@ -3420,17 +3427,21 @@ class WorkflowApprovalSerializer(UnifiedJobSerializer):
        if obj.workflow_approval_template:
            res['workflow_approval_template'] = self.reverse('api:workflow_approval_template_detail',
                                                             kwargs={'pk': obj.workflow_approval_template.pk})
-            res['notifications'] = self.reverse('api:workflow_approval_notifications_list', kwargs={'pk': obj.pk})
        res['approve'] = self.reverse('api:workflow_approval_approve', kwargs={'pk': obj.pk})
        res['deny'] = self.reverse('api:workflow_approval_deny', kwargs={'pk': obj.pk})
        return res


-
 class WorkflowApprovalListSerializer(WorkflowApprovalSerializer, UnifiedJobListSerializer):

+    can_approve_or_deny = serializers.SerializerMethodField()
+
    class Meta:
-        fields = ('*', '-execution_node', '-controller_node',)
+        fields = ('*', '-execution_node', '-controller_node', 'can_approve_or_deny')
+
+    def get_can_approve_or_deny(self, obj):
+        request = self.context.get('request', None)
+        return request.user.can_access(WorkflowApproval, 'approve_or_deny', obj) is True


 class WorkflowApprovalTemplateSerializer(UnifiedJobTemplateSerializer):
@@ -3446,13 +3457,7 @@ class WorkflowApprovalTemplateSerializer(UnifiedJobTemplateSerializer):

        res.update(dict(
            jobs = self.reverse('api:workflow_approval_template_jobs_list', kwargs={'pk': obj.pk}),
-            # &&&&&& Placeholder for notification things!
-            # notification_templates_started = self.reverse('api:workflow_approval_template_notification_templates_started_list', kwargs={'pk': obj.pk}),
-            # notification_templates_needs_approval = self.reverse(
-            #'api:workflow_approval_template_notification_templates_needs_approval_list', kwargs={'pk': obj.pk}),
-            # notification_templates_success = self.reverse('api:workflow_approval_template_notification_templates_success_list', kwargs={'pk': obj.pk}),
-            # notification_templates_error = self.reverse('api:workflow_approval_template_notification_templates_error_list', kwargs={'pk': obj.pk}),
-        ))
+            ))
        return res


--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -4440,8 +4440,6 @@ class WorkflowApprovalList(ListCreateAPIView):
    serializer_class = serializers.WorkflowApprovalListSerializer

    def get(self, request, *args, **kwargs):
-        if not request.user.is_superuser and not request.user.is_system_auditor:
-            raise PermissionDenied(_("Superuser privileges needed."))
        return super(WorkflowApprovalList, self).get(request, *args, **kwargs)


@@ -4455,22 +4453,29 @@ class WorkflowApprovalApprove(RetrieveAPIView):
    model = models.WorkflowApproval
    serializer_class = serializers.WorkflowApprovalViewSerializer

-    # &&&&&& To address later
+    # &&&&&& Changed per the PR review, notes/questions in additional comments...
    def post(self, request, *args, **kwargs):
        obj = self.get_object()
+        request.user.can_access(models.WorkflowApproval, 'approve_or_deny', obj)
+        if obj.status != 'pending':
+            return Response("This workflow step has already been approved or denied.", status=status.HTTP_400_BAD_REQUEST)
        obj.approve()
-        return Response(status=status.HTTP_202_ACCEPTED)
+        return Response(status=status.HTTP_204_NO_CONTENT)


 class WorkflowApprovalDeny(RetrieveAPIView):
    model = models.WorkflowApproval
    serializer_class = serializers.WorkflowApprovalViewSerializer

-    # &&&&&& To address later
+    # &&&&&& Changed per the PR review, notes/questions in additional comments...
    def post(self, request, *args, **kwargs):
        obj = self.get_object()
+        request.user.can_access(models.WorkflowApproval, 'approve_or_deny', obj)
+        if obj.status != 'pending':
+            return Response("This workflow step has already been approved or denied.", status=status.HTTP_400_BAD_REQUEST)
        obj.deny()
-        return Response(status=status.HTTP_202_ACCEPTED)
+        return Response(status=status.HTTP_204_NO_CONTENT)
+


 class WorkflowApprovalNotificationsList(SubListAPIView):