External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-20 07:17:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

add reverse attach access checks pointing toward roles

Browse Source
This commit is contained in:
AlanCoding
2016-06-10 17:12:26 -04:00
parent a92056dfa4
commit 3e97bdae7f
2 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/main/access.py
View File

@@ -270,6 +270,12 @@ class UserAccess(BaseAccess):
return True return True
return False return False
def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
if relationship == 'roles':
role_access = RoleAccess(self.user)
return role_access.can_attach(sub_obj, obj, 'members', data, skip_sub_obj_read_check=False)
return super(UserAccess, self).can_attach(obj, sub_obj, relationship, data, skip_sub_obj_read_check=False)
class OrganizationAccess(BaseAccess): class OrganizationAccess(BaseAccess):
''' '''

46
awx/main/tests/functional/test_rbac_role.py Normal file
View File

@@ -0,0 +1,46 @@
import mock
import pytest
from awx.main.access import (
RoleAccess,
UserAccess
)
from django.core.urlresolvers import reverse
from django.contrib.auth.models import User
@pytest.mark.django_db
def test_inventory_read_role_access_functional(rando, inventory, mocker, post):
inventory.read_role.members.add(rando)
role_pk = inventory.admin_role.pk
mock_access = mocker.MagicMock(spec=RoleAccess, id=968)
with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
response = post(url=reverse('api:user_roles_list', args=(rando.pk,)),
data={'id': role_pk}, user=rando)
mock_access.can_attach.assert_called_once_with(
inventory.admin_role, rando, 'members', {"id": role_pk},
skip_sub_obj_read_check=False)
@pytest.mark.django_db
def test_inventory_read_role_user_can_access(rando, inventory):
inventory.read_role.members.add(rando)
access = RoleAccess(rando)
assert not rando.can_access(
User, 'attach', rando, inventory.admin_role, 'roles',
{'id': inventory.admin_role.pk}, False)
@pytest.mark.django_db
def test_inventory_read_role_user_access(rando, inventory):
inventory.read_role.members.add(rando)
access = UserAccess(rando)
data = {'id': inventory.admin_role.pk}
assert not access.can_attach(rando, inventory.admin_role, 'roles', data, False)
@pytest.mark.django_db
def test_inventory_read_role_access(rando, inventory):
inventory.read_role.members.add(rando)
access = RoleAccess(rando)
assert not access.can_attach(inventory.admin_role, rando, 'members', None)