External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-13 02:50:02 -03:30
Code Issues Packages Projects Releases Wiki Activity

do not allow tower group delete or name change

Browse Source 
* DO allow policy changes and other attribute changes
This commit is contained in:
chris meyers 2018-03-21 15:45:52 -04:00
parent e58038b056
commit 305ef6fa7e
4 changed files with 22 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
awx/api/permissions.py
View File

@ -231,8 +231,10 @@ class IsSuperUser(permissions.BasePermission):
class InstanceGroupTowerPermission(ModelAccessPermission):
def has_object_permission(self, request, view, obj):
if request.method not in permissions.SAFE_METHODS:
if obj.name == "tower":
return False
if request.method == 'DELETE' and obj.name == "tower":
return False
if request.method in ['PATCH', 'PUT'] and obj.name == 'tower' and \
request and request.data and request.data.get('name', '') != 'tower':
return False
return super(InstanceGroupTowerPermission, self).has_object_permission(request, view, obj)

1
awx/api/views.py
View File

@ -661,6 +661,7 @@ class InstanceGroupList(ListCreateAPIView):
class InstanceGroupDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
always_allow_superuser = False
view_name = _("Instance Group Detail")
model = InstanceGroup
serializer_class = InstanceGroupSerializer

9
awx/main/access.py
View File

@ -466,6 +466,15 @@ class InstanceGroupAccess(BaseAccess):
def can_change(self, obj, data):
return self.user.is_superuser
def can_delete(self, obj):
return self.user.is_superuser
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
return self.user.is_superuser
def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
return self.user.is_superuser
class UserAccess(BaseAccess):
'''

13
awx/main/tests/functional/api/test_instance_group.py
View File

@ -80,11 +80,12 @@ def test_delete_instance_group_jobs_running(delete, instance_group_jobs_running,
@pytest.mark.django_db
def test_delete_tower_instance_group_prevented(delete, options, tower_instance_group, admin):
def test_delete_tower_instance_group_prevented(delete, options, tower_instance_group, user):
url = reverse("api:instance_group_detail", kwargs={'pk': tower_instance_group.pk})
delete(url, None, admin, expect=403)
resp = options(url, None, admin, expect=200)
actions = ['DELETE', 'PATCH', 'PUT']
super_user = user('bob', True)
delete(url, None, super_user, expect=403)
resp = options(url, None, super_user, expect=200)
actions = ['GET', 'PUT',]
assert 'DELETE' not in resp.data['actions']
for action in actions:
assert action not in resp.data['actions']
assert 'GET' in resp.data['actions']
assert action in resp.data['actions']