External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-24 06:26:00 -03:30
Code Issues Packages Projects Releases Wiki Activity

do not allow tower group delete or name change

Browse Source 
* DO allow policy changes and other attribute changes
This commit is contained in:
chris meyers
2018-03-21 15:45:52 -04:00
parent e58038b056
commit 305ef6fa7e
4 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
awx/api/permissions.py
View File

@@ -231,8 +231,10 @@ class IsSuperUser(permissions.BasePermission):
class InstanceGroupTowerPermission(ModelAccessPermission): class InstanceGroupTowerPermission(ModelAccessPermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if request.method not in permissions.SAFE_METHODS: if request.method == 'DELETE' and obj.name == "tower":
if obj.name == "tower": return False
return False if request.method in ['PATCH', 'PUT'] and obj.name == 'tower' and \
request and request.data and request.data.get('name', '') != 'tower':
return False
return super(InstanceGroupTowerPermission, self).has_object_permission(request, view, obj) return super(InstanceGroupTowerPermission, self).has_object_permission(request, view, obj)

1
awx/api/views.py
View File

@@ -661,6 +661,7 @@ class InstanceGroupList(ListCreateAPIView):
class InstanceGroupDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView): class InstanceGroupDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
always_allow_superuser = False
view_name = _("Instance Group Detail") view_name = _("Instance Group Detail")
model = InstanceGroup model = InstanceGroup
serializer_class = InstanceGroupSerializer serializer_class = InstanceGroupSerializer

9
awx/main/access.py
View File

@@ -466,6 +466,15 @@ class InstanceGroupAccess(BaseAccess):
def can_change(self, obj, data): def can_change(self, obj, data):
return self.user.is_superuser return self.user.is_superuser
def can_delete(self, obj):
return self.user.is_superuser
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
return self.user.is_superuser
def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
return self.user.is_superuser
class UserAccess(BaseAccess): class UserAccess(BaseAccess):
''' '''

13
awx/main/tests/functional/api/test_instance_group.py
View File

@@ -80,11 +80,12 @@ def test_delete_instance_group_jobs_running(delete, instance_group_jobs_running,
@pytest.mark.django_db @pytest.mark.django_db
def test_delete_tower_instance_group_prevented(delete, options, tower_instance_group, admin): def test_delete_tower_instance_group_prevented(delete, options, tower_instance_group, user):
url = reverse("api:instance_group_detail", kwargs={'pk': tower_instance_group.pk}) url = reverse("api:instance_group_detail", kwargs={'pk': tower_instance_group.pk})
delete(url, None, admin, expect=403) super_user = user('bob', True)
resp = options(url, None, admin, expect=200) delete(url, None, super_user, expect=403)
actions = ['DELETE', 'PATCH', 'PUT'] resp = options(url, None, super_user, expect=200)
actions = ['GET', 'PUT',]
assert 'DELETE' not in resp.data['actions']
for action in actions: for action in actions:
assert action not in resp.data['actions'] assert action in resp.data['actions']
assert 'GET' in resp.data['actions']