diff --git a/awx/main/access.py b/awx/main/access.py index bfa28e054e..ebefb700d5 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -564,7 +564,7 @@ class CredentialAccess(BaseAccess): return False if user is not None: - return user.resource.accessible_by(self.user, {'write': True}) + return user.accessible_by(self.user, {'write': True}) if team is not None: return team.accessible_by(self.user, {'write':True}) diff --git a/awx/main/migrations/0007_v300_rbac_changes.py b/awx/main/migrations/0007_v300_rbac_changes.py index 86cc50dc99..71e993dac5 100644 --- a/awx/main/migrations/0007_v300_rbac_changes.py +++ b/awx/main/migrations/0007_v300_rbac_changes.py @@ -65,27 +65,6 @@ class Migration(migrations.Migration): 'verbose_name_plural': 'permissions', }, ), - migrations.CreateModel( - name='UserResource', - fields=[ - ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)), - ('created', models.DateTimeField(default=None, editable=False)), - ('modified', models.DateTimeField(default=None, editable=False)), - ('description', models.TextField(default=b'', blank=True)), - ('active', models.BooleanField(default=True, editable=False)), - ('name', models.CharField(max_length=512)), - ('admin_role', awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True')), - ('created_by', models.ForeignKey(related_name="{u'class': 'userresource', u'app_label': 'main'}(class)s_created+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)), - ('modified_by', models.ForeignKey(related_name="{u'class': 'userresource', u'app_label': 'main'}(class)s_modified+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)), - ('tags', taggit.managers.TaggableManager(to='taggit.Tag', through='taggit.TaggedItem', blank=True, help_text='A comma-separated list of tags.', verbose_name='Tags')), - ('user', awx.main.fields.AutoOneToOneField(related_name='resource', editable=False, to=settings.AUTH_USER_MODEL)), - ], - options={ - 'db_table': 'main_rbac_user_resource', - 'verbose_name': 'user_resource', - 'verbose_name_plural': 'user_resources', - }, - ), migrations.AddField( model_name='credential', name='owner_role', diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index 2cf0b6e775..4cdb1bc168 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -1,14 +1,30 @@ +from django.contrib.contenttypes.models import ContentType + from collections import defaultdict import _old_access as old_access def migrate_users(apps, schema_editor): migrations = list() + User = apps.get_model('auth', "User") Role = apps.get_model('main', "Role") + RolePermission = apps.get_model('main', "RolePermission") for user in User.objects.all(): - ur = user.resource # implicitly creates the UserResource field if it didn't already exist - ur.admin_role.members.add(user) + try: + Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id) + except Role.DoesNotExist: + role = Role.objects.create( + singleton_name = '%s-admin_role' % user.username, + content_object = user, + ) + role.members.add(user) + RolePermission.objects.create( + role = role, + resource = user, + create=1, read=1, write=1, delete=1, update=1, + execute=1, scm_update=1, use=1, + ) if user.is_superuser: Role.singleton('System Administrator').members.add(user) diff --git a/awx/main/models/user.py b/awx/main/models/user.py deleted file mode 100644 index fad82ba182..0000000000 --- a/awx/main/models/user.py +++ /dev/null @@ -1,31 +0,0 @@ -# Copyright (c) 2015 Ansible, Inc. -# All Rights Reserved. - -from django.db import models -from django.utils.translation import ugettext_lazy as _ - -from awx.main.models.base import CommonModelNameNotUnique -from awx.main.models.mixins import ResourceMixin -from awx.main.fields import AutoOneToOneField, ImplicitRoleField - - -class UserResource(CommonModelNameNotUnique, ResourceMixin): - class Meta: - app_label = 'main' - verbose_name = _('user_resource') - verbose_name_plural = _('user_resources') - unique_together = [('user', 'admin_role'),] - db_table = 'main_rbac_user_resource' - - user = AutoOneToOneField( - 'auth.User', - on_delete=models.CASCADE, - related_name='resource', - editable=False, - ) - - admin_role = ImplicitRoleField( - role_name='User Administrator', - role_description='May manage this user', - permissions = {'all': True}, - ) diff --git a/awx/main/tests/functional/test_rbac_api.py b/awx/main/tests/functional/test_rbac_api.py index 6e015b48ef..10f6985704 100644 --- a/awx/main/tests/functional/test_rbac_api.py +++ b/awx/main/tests/functional/test_rbac_api.py @@ -1,7 +1,6 @@ import mock # noqa import pytest -from django.contrib.contenttypes.models import ContentType from django.core.urlresolvers import reverse from awx.main.models.rbac import Role, ROLE_SINGLETON_SYSTEM_ADMINISTRATOR @@ -47,7 +46,7 @@ def test_get_roles_list_user(organization, inventory, team, get, user): assert Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id in role_hash assert organization.admin_role.id in role_hash assert organization.member_role.id in role_hash - assert this_user.resource.admin_role.id in role_hash + assert this_user.admin_role.id in role_hash assert custom_role.id in role_hash assert inventory.admin_role.id not in role_hash @@ -396,7 +395,6 @@ def test_role_children(get, team, admin, role): @pytest.mark.django_db def test_resource_access_list(get, team, admin, role): team.member_role.members.add(admin) - content_type_id = ContentType.objects.get_for_model(team).pk url = reverse('api:team_access_list', args=(team.id,)) res = get(url, admin) assert res.status_code == 200