From 41fb21911e684a0c6363d77c19459571051f611c Mon Sep 17 00:00:00 2001 From: Rebeccah Date: Thu, 18 Feb 2021 17:24:17 -0500 Subject: [PATCH] add execution_environment_admin_role to the an organizations read role, which access.py uses for determining access to reading an ee within an organization, add migration file for execution_env_admin role addition to read_roles within an organization, and set check related to mandatory --- awx/main/access.py | 6 +++--- .../0128_organiaztion_read_roles_ee_admin.py | 20 +++++++++++++++++++ awx/main/models/organization.py | 3 ++- 3 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py diff --git a/awx/main/access.py b/awx/main/access.py index 8817e7b917..9e9631751c 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1325,7 +1325,7 @@ class ExecutionEnvironmentAccess(BaseAccess): def filtered_queryset(self): return ExecutionEnvironment.objects.filter( - Q(organization__in=Organization.accessible_pk_qs(self.user, 'member_role')) | + Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) | Q(organization__isnull=True) ).distinct() @@ -1333,7 +1333,7 @@ class ExecutionEnvironmentAccess(BaseAccess): def can_add(self, data): if not data: # So the browseable API will work return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists() - return self.check_related('organization', Organization, data) + return self.check_related('organization', Organization, data, mandatory=True) @check_superuser def can_change(self, obj, data): @@ -1341,7 +1341,7 @@ class ExecutionEnvironmentAccess(BaseAccess): raise PermissionDenied if obj and obj.organization_id is None: raise PermissionDenied - if self.user not in obj.organization.execution_environment_admin_role and self.user not in obj.organization.admin_role: + if self.user not in obj.organization.execution_environment_admin_role: raise PermissionDenied org_pk = get_pk_from_dict(data, 'organization') if obj and obj.organization_id != org_pk: diff --git a/awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py b/awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py new file mode 100644 index 0000000000..f03a4e0ba2 --- /dev/null +++ b/awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py @@ -0,0 +1,20 @@ +# Generated by Django 2.2.16 on 2021-02-18 22:57 + +import awx.main.fields +from django.db import migrations +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [ + ('main', '0127_reset_pod_spec_override'), + ] + + operations = [ + migrations.AlterField( + model_name='organization', + name='read_role', + field=awx.main.fields.ImplicitRoleField(editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['member_role', 'auditor_role', 'execute_role', 'project_admin_role', 'inventory_admin_role', 'workflow_admin_role', 'notification_admin_role', 'credential_admin_role', 'job_template_admin_role', 'approval_role', 'execution_environment_admin_role'], related_name='+', to='main.Role'), + ), + ] diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py index bdf1e38d7d..f0ecfea5c7 100644 --- a/awx/main/models/organization.py +++ b/awx/main/models/organization.py @@ -109,7 +109,8 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi 'execute_role', 'project_admin_role', 'inventory_admin_role', 'workflow_admin_role', 'notification_admin_role', 'credential_admin_role', - 'job_template_admin_role', 'approval_role',], + 'job_template_admin_role', 'approval_role', + 'execution_environment_admin_role',], ) approval_role = ImplicitRoleField( parent_role='admin_role',