add execution_environment_admin_role to the an organizations read role, which access.py uses for determining access to reading an ee within an organization,

add migration file for execution_env_admin role addition to read_roles within an organization, and set check related to mandatory
2026-01-14 11:20:39 -03:30 · 2021-02-18 17:24:17 -05:00 · 2021-02-18 17:24:17 -05:00 · 41fb21911e
commit 41fb21911e
parent eaa74b40c1
3 changed files with 25 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1325,7 +1325,7 @@ class ExecutionEnvironmentAccess(BaseAccess):

    def filtered_queryset(self):
        return ExecutionEnvironment.objects.filter(
-            Q(organization__in=Organization.accessible_pk_qs(self.user, 'member_role')) |
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) |
            Q(organization__isnull=True)
        ).distinct()

@ -1333,7 +1333,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
    def can_add(self, data):
        if not data:  # So the browseable API will work
            return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
-        return self.check_related('organization', Organization, data)
+        return self.check_related('organization', Organization, data, mandatory=True)

    @check_superuser
    def can_change(self, obj, data):
@ -1341,7 +1341,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
            raise PermissionDenied
        if obj and obj.organization_id is None:
            raise PermissionDenied
-        if self.user not in obj.organization.execution_environment_admin_role and self.user not in obj.organization.admin_role:
+        if self.user not in obj.organization.execution_environment_admin_role:
            raise PermissionDenied
        org_pk = get_pk_from_dict(data, 'organization')
        if obj and obj.organization_id != org_pk:
--- a/awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py
+++ b/awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py
@ -0,0 +1,20 @@
+# Generated by Django 2.2.16 on 2021-02-18 22:57
+
+import awx.main.fields
+from django.db import migrations
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0127_reset_pod_spec_override'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='organization',
+            name='read_role',
+            field=awx.main.fields.ImplicitRoleField(editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['member_role', 'auditor_role', 'execute_role', 'project_admin_role', 'inventory_admin_role', 'workflow_admin_role', 'notification_admin_role', 'credential_admin_role', 'job_template_admin_role', 'approval_role', 'execution_environment_admin_role'], related_name='+', to='main.Role'),
+        ),
+    ]
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@ -109,7 +109,8 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
                     'execute_role', 'project_admin_role',
                     'inventory_admin_role', 'workflow_admin_role',
                     'notification_admin_role', 'credential_admin_role',
-                     'job_template_admin_role', 'approval_role',],
+                     'job_template_admin_role', 'approval_role', 
+                     'execution_environment_admin_role',],
    )
    approval_role = ImplicitRoleField(
        parent_role='admin_role',