External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-08 18:07:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Moved access control from credential add view to access.py

Browse Source 
as it should have always been. This messes up being able to post to
api/v1/users/:n/credentials and api/v1/teams/:n/credentials without
specifyign the user/team id in the post body, but looking at the old
code it looks like this might have always been the case, so whatevs..

This fixes a old v new access.py test "failure", and is better anyways..
This commit is contained in:
Akita Noek
2016-04-29 17:27:14 -04:00
parent 1bf4fdbff1
commit 29b55fa04d
3 changed files with 25 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
awx/api/views.py
View File

@@ -1232,15 +1232,15 @@ class CredentialList(ListCreateAPIView):
if 'user' in request.data:
user = User.objects.get(pk=request.data['user'])
obj = user
can_add_params = {'user': user.id}
if 'team' in request.data:
team = Team.objects.get(pk=request.data['team'])
obj = team
can_add_params = {'team': team.id}
if 'organization' in request.data:
organization = Organization.objects.get(pk=request.data['organization'])
obj = organization
can_add_params = {'organization': organization.id}
if not self.request.user.can_access(type(obj), 'change', obj, request.data):
if not self.request.user.can_access(Credential, 'add', can_add_params):
raise PermissionDenied()
ret = super(CredentialList, self).post(request, *args, **kwargs)
@@ -1270,8 +1270,7 @@ class UserCredentialsList(CredentialList):
return user_creds & visible_creds
def post(self, request, *args, **kwargs):
user = User.objects.get(pk=self.kwargs['pk'])
request.data['user'] = user.id
request.data['user'] = self.kwargs['pk']
# The following post takes care of ensuring the current user can add a cred to this user
return super(UserCredentialsList, self).post(request, args, kwargs)
@@ -1290,8 +1289,7 @@ class TeamCredentialsList(CredentialList):
return team_creds & visible_creds
def post(self, request, *args, **kwargs):
team = Team.objects.get(pk=self.kwargs['pk'])
request.data['team'] = team.id
request.data['team'] = self.kwargs['pk']
# The following post takes care of ensuring the current user can add a cred to this user
return super(TeamCredentialsList, self).post(request, args, kwargs)