External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-16 18:50:04 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1396 from chrismeyersfsu/labels-rbac

Browse Source 
Labels rbac
This commit is contained in:
Chris Meyers
2016-04-05 08:53:49 -04:00
parent e2b01740fb fa6f5329cf
commit 2f4e8cd163
3 changed files with 82 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
awx/main/access.py
View File

@@ -873,7 +873,7 @@ class SystemJobAccess(BaseAccess):
''' '''
model = SystemJob model = SystemJob
class AdHocCommandAccess(BaseAccess): class AdHocCommandAccess(BaseAccess):
''' '''
I can only see/run ad hoc commands when: I can only see/run ad hoc commands when:
- I am a superuser. - I am a superuser.
@@ -1185,15 +1185,39 @@ class NotificationAccess(BaseAccess):
class LabelAccess(BaseAccess): class LabelAccess(BaseAccess):
''' '''
I can see/use a Label if I have permission to I can see/use a Label if I have permission to associated organization
''' '''
model = Label model = Label
def get_queryset(self): def get_queryset(self):
return self.model.objects.distinct().all() if self.user.is_superuser:
return self.model.objects.all()
return self.model.objects.filter(
organization__in=Organization.accessible_objects(self.user, {'read': True})
)
def can_read(self, obj):
if self.user.is_superuser:
return True
return obj.organization and obj.organization.accessible_by(self.user, {'read': True})
def can_add(self, data):
if self.user.is_superuser:
return True
if not data or '_method' in data: # So the browseable API will work?
return True
org_pk = get_pk_from_dict(data, 'organization')
org = get_object_or_400(Organization, pk=org_pk)
return org.accessible_by(self.user, {'read': True})
def can_change(self, obj, data):
if self.user.is_superuser:
return True
return obj.organization and obj.organization.accessible_by(self.user, ALL_PERMISSIONS)
def can_delete(self, obj): def can_delete(self, obj):
return False return self.can_change(obj, None)
class ActivityStreamAccess(BaseAccess): class ActivityStreamAccess(BaseAccess):
''' '''

7
awx/main/tests/functional/conftest.py
View File

@@ -158,6 +158,10 @@ def credential():
def inventory(organization): def inventory(organization):
return organization.inventories.create(name="test-inv") return organization.inventories.create(name="test-inv")
@pytest.fixture
def label(organization):
return organization.labels.create(name="test-label", description="test-label-desc")
@pytest.fixture @pytest.fixture
def role(): def role():
return Role.objects.create(name='role') return Role.objects.create(name='role')
@@ -226,9 +230,6 @@ def hosts(group):
return hosts return hosts
return rf return rf
@pytest.fixture @pytest.fixture
def permissions(): def permissions():
return { return {

50
awx/main/tests/functional/test_rbac_label.py Normal file
View File

@@ -0,0 +1,50 @@
import pytest
from awx.main.access import (
LabelAccess,
)
@pytest.mark.django_db
def test_label_get_queryset_user(label, user):
access = LabelAccess(user('user', False))
label.organization.member_role.members.add(user('user', False))
assert access.get_queryset().count() == 1
@pytest.mark.django_db
def test_label_get_queryset_su(label, user):
access = LabelAccess(user('user', True))
assert access.get_queryset().count() == 1
@pytest.mark.django_db
def test_label_access(label, user):
access = LabelAccess(user('user', False))
assert not access.can_read(label)
@pytest.mark.django_db
def test_label_access_superuser(label, user):
access = LabelAccess(user('admin', True))
assert access.can_read(label)
assert access.can_change(label, None)
assert access.can_delete(label)
@pytest.mark.django_db
def test_label_access_admin(label, user):
'''can_change because I am an admin of that org'''
a = user('admin', False)
label.organization.admin_role.members.add(a)
access = LabelAccess(user('admin', False))
assert access.can_read(label)
assert access.can_change(label, None)
assert access.can_delete(label)
@pytest.mark.django_db
def test_label_access_user(label, user):
access = LabelAccess(user('user', False))
label.organization.member_role.members.add(user('user', False))
assert access.can_read(label)
assert not access.can_change(label, None)
assert not access.can_delete(label)