From 3fec69799cb37854da8e6138041bb1ec4949ae95 Mon Sep 17 00:00:00 2001 From: chris meyers Date: Mon, 13 Jan 2020 15:01:29 -0500 Subject: [PATCH] fix websocket job subscription access control --- awx/main/consumers.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/awx/main/consumers.py b/awx/main/consumers.py index c81085c988..bc7aa47089 100644 --- a/awx/main/consumers.py +++ b/awx/main/consumers.py @@ -140,7 +140,7 @@ class EventConsumer(AsyncJsonWebsocketConsumer): await self.close() @database_sync_to_async - def user_can_see_object_id(self, user_access): + def user_can_see_object_id(self, user_access, oid): return user_access.get_queryset().filter(pk=oid).exists() async def receive_json(self, data): @@ -169,17 +169,16 @@ class EventConsumer(AsyncJsonWebsocketConsumer): access_cls = consumer_access(group_name) if access_cls is not None: user_access = access_cls(user) - if not self.user_can_see_object_id(user_access): + if not await self.user_can_see_object_id(user_access, oid): await self.send_json({"error": "access denied to channel {0} for resource id {1}".format(group_name, oid)}) continue - new_groups.add(name) else: if group_name == BROADCAST_GROUP: logger.warn("Non-priveleged client asked to join broadcast group!") return - new_groups.add(name) + new_groups.add(group_name) old_groups = current_groups - new_groups for group_name in old_groups: