Add better 403 error message for Job template create (#15307)

* Add better 403 error message for Job template create To create Job template u need access to projects and inventory --------- Co-authored-by: Chris Meyers <chris.meyers.fsu@gmail.com>
2026-01-10 15:32:07 -03:30 · 2024-07-01 11:02:07 -04:00 · 2024-07-01 11:02:07 -04:00 · 2c4ad6ef0f
commit 2c4ad6ef0f
parent 37f44d7214
3 changed files with 28 additions and 6 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@ -2392,6 +2392,14 @@ class JobTemplateList(ListCreateAPIView):
    serializer_class = serializers.JobTemplateSerializer
    always_allow_superuser = False

+    def check_permissions(self, request):
+        if request.method == 'POST':
+            can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
+            if not can_access:
+                self.permission_denied(request, message=messages)
+
+        super(JobTemplateList, self).check_permissions(request)
+

 class JobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
    model = models.JobTemplate
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1595,6 +1595,8 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
        inventory = get_value(Inventory, 'inventory')
        if inventory:
            if self.user not in inventory.use_role:
+                if self.save_messages:
+                    self.messages['inventory'] = [_('You do not have use permission on Inventory')]
                return False

        if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
@ -1603,11 +1605,16 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
        project = get_value(Project, 'project')
        # If the user has admin access to the project (as an org admin), should
        # be able to proceed without additional checks.
-        if project:
-            return self.user in project.use_role
-        else:
+        if not project:
            return False

+        if self.user not in project.use_role:
+            if self.save_messages:
+                self.messages['project'] = [_('You do not have use permission on Project')]
+            return False
+
+        return True
+
    @check_superuser
    def can_copy_related(self, obj):
        """
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@ -182,8 +182,14 @@ def test_job_template_creator_access(project, organization, rando, post, setup_m

@pytest.mark.django_db
@pytest.mark.job_permissions
-@pytest.mark.parametrize('lacking', ['project', 'inventory'])
-def test_job_template_insufficient_creator_permissions(lacking, project, inventory, organization, rando, post):
+@pytest.mark.parametrize(
+    'lacking,reason',
+    [
+        ('project', 'You do not have use permission on Project'),
+        ('inventory', 'You do not have use permission on Inventory'),
+    ],
+)
+def test_job_template_insufficient_creator_permissions(lacking, reason, project, inventory, organization, rando, post):
    if lacking != 'project':
        project.use_role.members.add(rando)
    else:
@ -192,12 +198,13 @@ def test_job_template_insufficient_creator_permissions(lacking, project, invento
        inventory.use_role.members.add(rando)
    else:
        inventory.read_role.members.add(rando)
-    post(
+    response = post(
        url=reverse('api:job_template_list'),
        data=dict(name='newly-created-jt', inventory=inventory.id, project=project.pk, playbook='helloworld.yml'),
        user=rando,
        expect=403,
    )
+    assert reason in response.data[lacking]


@pytest.mark.django_db