fixes for RBAC bugs from check_related

2026-01-11 01:57:35 -03:30 · 2016-11-09 15:38:09 -05:00 · 2016-11-09 15:38:09 -05:00 · 2c9cf0f6d6
commit 2c9cf0f6d6
parent fdfce0bc73
2 changed files with 14 additions and 5 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -921,7 +921,7 @@ class ProjectAccess(BaseAccess):

    @check_superuser
    def can_change(self, obj, data):
-        if not self.check_related('organization', Organization, data):
+        if not self.check_related('organization', Organization, data, obj=obj):
            return False
        return self.user in obj.admin_role

@ -1523,7 +1523,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
        # if 'survey_enabled' in data and data['survey_enabled']:
        #     self.check_license(feature='surveys')

-        return self.check_related('organization', Organization, data)
+        return self.check_related('organization', Organization, data, mandatory=True)

    def can_start(self, obj, validate_license=True):
        if validate_license:
@ -1973,7 +1973,8 @@ class LabelAccess(BaseAccess):
    def can_change(self, obj, data):
        if self.can_add(data) is False:
            return False
-        return self.check_related('organization', Organization, data, obj=obj, mandatory=True)
+
+        return self.user in obj.organization.admin_role

    def can_delete(self, obj):
        return self.can_change(obj, None)
@ -2069,11 +2070,11 @@ class CustomInventoryScriptAccess(BaseAccess):
    def can_add(self, data):
        if not data:  # So the browseable API will work
            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return self.check_related('organization', Organization, data)
+        return self.check_related('organization', Organization, data, mandatory=True)

    @check_superuser
    def can_admin(self, obj, data=None):
-        return self.check_related('organization', Organization, data, obj=obj)
+        return self.check_related('organization', Organization, data, obj=obj) and self.user in obj.admin_role

    @check_superuser
    def can_change(self, obj, data):
--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@ -39,6 +39,14 @@ def test_modify_inv_script_foreign_org_admin(org_admin, organization, organizati
    access = CustomInventoryScriptAccess(org_admin)
    assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})

+@pytest.mark.django_db
+def test_org_member_inventory_script_permissions(org_member, organization):
+    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', organization=organization)
+    access = CustomInventoryScriptAccess(org_member)
+    assert access.can_read(custom_inv)
+    assert not access.can_delete(custom_inv)
+    assert not access.can_change(custom_inv, {'name': 'ed-test'})
+
@pytest.mark.django_db
 def test_inventory_admin_user(inventory, permissions, user):
    u = user('admin', False)