External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 14:57:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

fixes for RBAC bugs from check_related

Browse Source
This commit is contained in:
AlanCoding
2016-11-09 15:38:09 -05:00
parent fdfce0bc73
commit 2c9cf0f6d6
2 changed files with 14 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
awx/main/access.py
View File

@@ -921,7 +921,7 @@ class ProjectAccess(BaseAccess):
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
if not self.check_related('organization', Organization, data): if not self.check_related('organization', Organization, data, obj=obj):
return False return False
return self.user in obj.admin_role return self.user in obj.admin_role
@@ -1523,7 +1523,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
# if 'survey_enabled' in data and data['survey_enabled']: # if 'survey_enabled' in data and data['survey_enabled']:
# self.check_license(feature='surveys') # self.check_license(feature='surveys')
return self.check_related('organization', Organization, data) return self.check_related('organization', Organization, data, mandatory=True)
def can_start(self, obj, validate_license=True): def can_start(self, obj, validate_license=True):
if validate_license: if validate_license:
@@ -1973,7 +1973,8 @@ class LabelAccess(BaseAccess):
def can_change(self, obj, data): def can_change(self, obj, data):
if self.can_add(data) is False: if self.can_add(data) is False:
return False return False
return self.check_related('organization', Organization, data, obj=obj, mandatory=True)
return self.user in obj.organization.admin_role
def can_delete(self, obj): def can_delete(self, obj):
return self.can_change(obj, None) return self.can_change(obj, None)
@@ -2069,11 +2070,11 @@ class CustomInventoryScriptAccess(BaseAccess):
def can_add(self, data): def can_add(self, data):
if not data: # So the browseable API will work if not data: # So the browseable API will work
return Organization.accessible_objects(self.user, 'admin_role').exists() return Organization.accessible_objects(self.user, 'admin_role').exists()
return self.check_related('organization', Organization, data) return self.check_related('organization', Organization, data, mandatory=True)
@check_superuser @check_superuser
def can_admin(self, obj, data=None): def can_admin(self, obj, data=None):
return self.check_related('organization', Organization, data, obj=obj) return self.check_related('organization', Organization, data, obj=obj) and self.user in obj.admin_role
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):

8
awx/main/tests/functional/test_rbac_inventory.py
View File

@@ -39,6 +39,14 @@ def test_modify_inv_script_foreign_org_admin(org_admin, organization, organizati
access = CustomInventoryScriptAccess(org_admin) access = CustomInventoryScriptAccess(org_admin)
assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'}) assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})
@pytest.mark.django_db
def test_org_member_inventory_script_permissions(org_member, organization):
custom_inv = CustomInventoryScript.objects.create(name='test', script='test', organization=organization)
access = CustomInventoryScriptAccess(org_member)
assert access.can_read(custom_inv)
assert not access.can_delete(custom_inv)
assert not access.can_change(custom_inv, {'name': 'ed-test'})
@pytest.mark.django_db @pytest.mark.django_db
def test_inventory_admin_user(inventory, permissions, user): def test_inventory_admin_user(inventory, permissions, user):
u = user('admin', False) u = user('admin', False)