Merge pull request #1222 from wwitzel3/rbac

Remove UserResource and ensure RolePermission during migration

awx/main/access.py

@@ -564,7 +564,7 @@ class CredentialAccess(BaseAccess):
             return False
 
         if user is not None:
-            return user.resource.accessible_by(self.user, {'write': True})
+            return user.accessible_by(self.user, {'write': True})
         if team is not None:
             return team.accessible_by(self.user, {'write':True})
 

awx/main/migrations/0007_v300_rbac_changes.py

@@ -65,27 +65,6 @@ class Migration(migrations.Migration):
                 'verbose_name_plural': 'permissions',
             },
         ),
-        migrations.CreateModel(
-            name='UserResource',
-            fields=[
-                ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
-                ('created', models.DateTimeField(default=None, editable=False)),
-                ('modified', models.DateTimeField(default=None, editable=False)),
-                ('description', models.TextField(default=b'', blank=True)),
-                ('active', models.BooleanField(default=True, editable=False)),
-                ('name', models.CharField(max_length=512)),
-                ('admin_role', awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True')),
-                ('created_by', models.ForeignKey(related_name="{u'class': 'userresource', u'app_label': 'main'}(class)s_created+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)),
-                ('modified_by', models.ForeignKey(related_name="{u'class': 'userresource', u'app_label': 'main'}(class)s_modified+", on_delete=django.db.models.deletion.SET_NULL, default=None, editable=False, to=settings.AUTH_USER_MODEL, null=True)),
-                ('tags', taggit.managers.TaggableManager(to='taggit.Tag', through='taggit.TaggedItem', blank=True, help_text='A comma-separated list of tags.', verbose_name='Tags')),
-                ('user', awx.main.fields.AutoOneToOneField(related_name='resource', editable=False, to=settings.AUTH_USER_MODEL)),
-            ],
-            options={
-                'db_table': 'main_rbac_user_resource',
-                'verbose_name': 'user_resource',
-                'verbose_name_plural': 'user_resources',
-            },
-        ),
         migrations.AddField(
             model_name='credential',
             name='owner_role',

awx/main/migrations/_rbac.py

@@ -1,14 +1,30 @@
+from django.contrib.contenttypes.models import ContentType
+
 from collections import defaultdict
 import _old_access as old_access
 
 def migrate_users(apps, schema_editor):
     migrations = list()
+
     User = apps.get_model('auth', "User")
     Role = apps.get_model('main', "Role")
+    RolePermission = apps.get_model('main', "RolePermission")
 
     for user in User.objects.all():
-        ur = user.resource # implicitly creates the UserResource field if it didn't already exist
+        try:
-        ur.admin_role.members.add(user)
+            Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=user.id)
+        except Role.DoesNotExist:
+            role = Role.objects.create(
+                singleton_name = '%s-admin_role' % user.username,
+                content_object = user,
+            )
+            role.members.add(user)
+            RolePermission.objects.create(
+                role = role,
+                resource = user,
+                create=1, read=1, write=1, delete=1, update=1,
+                execute=1, scm_update=1, use=1,
+            )
 
         if user.is_superuser:
             Role.singleton('System Administrator').members.add(user)

awx/main/models/user.py

@@ -1,31 +0,0 @@
-# Copyright (c) 2015 Ansible, Inc.
-# All Rights Reserved.
-
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-
-from awx.main.models.base import CommonModelNameNotUnique
-from awx.main.models.mixins import ResourceMixin
-from awx.main.fields import AutoOneToOneField, ImplicitRoleField
-
-
-class UserResource(CommonModelNameNotUnique, ResourceMixin):
-    class Meta:
-        app_label = 'main'
-        verbose_name = _('user_resource')
-        verbose_name_plural = _('user_resources')
-        unique_together = [('user', 'admin_role'),]
-        db_table = 'main_rbac_user_resource'
-
-    user = AutoOneToOneField(
-        'auth.User',
-        on_delete=models.CASCADE,
-        related_name='resource',
-        editable=False,
-    )
-
-    admin_role = ImplicitRoleField(
-        role_name='User Administrator',
-        role_description='May manage this user',
-        permissions = {'all': True},
-    )

awx/main/tests/functional/test_rbac_api.py

@@ -1,7 +1,6 @@
 import mock # noqa
 import pytest
 
-from django.contrib.contenttypes.models import ContentType
 from django.core.urlresolvers import reverse
 from awx.main.models.rbac import Role, ROLE_SINGLETON_SYSTEM_ADMINISTRATOR
 
@@ -47,7 +46,7 @@ def test_get_roles_list_user(organization, inventory, team, get, user):
     assert Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id in role_hash
     assert organization.admin_role.id in role_hash
     assert organization.member_role.id in role_hash
-    assert this_user.resource.admin_role.id in role_hash
+    assert this_user.admin_role.id in role_hash
     assert custom_role.id in role_hash
 
     assert inventory.admin_role.id not in role_hash
@@ -396,7 +395,6 @@ def test_role_children(get, team, admin, role):
 @pytest.mark.django_db
 def test_resource_access_list(get, team, admin, role):
     team.member_role.members.add(admin)
-    content_type_id = ContentType.objects.get_for_model(team).pk
     url = reverse('api:team_access_list', args=(team.id,))
     res = get(url, admin)
     assert res.status_code == 200