External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-06 17:07:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

add execution_environment_admin_role to the an organizations read role, which access.py uses for determining access to reading an ee within an organization,

Browse Source 
add migration file for execution_env_admin role addition to read_roles within an organization,

and set check related to mandatory
This commit is contained in:
Rebeccah
2021-02-18 17:24:17 -05:00
committed by Shane McDonald
parent eaa74b40c1
commit 41fb21911e
3 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/main/access.py
View File

@@ -1325,7 +1325,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
def filtered_queryset(self): def filtered_queryset(self):
return ExecutionEnvironment.objects.filter( return ExecutionEnvironment.objects.filter(
Q(organization__in=Organization.accessible_pk_qs(self.user, 'member_role')) | Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) |
Q(organization__isnull=True) Q(organization__isnull=True)
).distinct() ).distinct()
@@ -1333,7 +1333,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
def can_add(self, data): def can_add(self, data):
if not data: # So the browseable API will work if not data: # So the browseable API will work
return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists() return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
return self.check_related('organization', Organization, data) return self.check_related('organization', Organization, data, mandatory=True)
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
@@ -1341,7 +1341,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
raise PermissionDenied raise PermissionDenied
if obj and obj.organization_id is None: if obj and obj.organization_id is None:
raise PermissionDenied raise PermissionDenied
if self.user not in obj.organization.execution_environment_admin_role and self.user not in obj.organization.admin_role: if self.user not in obj.organization.execution_environment_admin_role:
raise PermissionDenied raise PermissionDenied
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
if obj and obj.organization_id != org_pk: if obj and obj.organization_id != org_pk:

20
awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py Normal file
View File

@@ -0,0 +1,20 @@
# Generated by Django 2.2.16 on 2021-02-18 22:57
import awx.main.fields
from django.db import migrations
import django.db.models.deletion
class Migration(migrations.Migration):
dependencies = [
('main', '0127_reset_pod_spec_override'),
]
operations = [
migrations.AlterField(
model_name='organization',
name='read_role',
field=awx.main.fields.ImplicitRoleField(editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['member_role', 'auditor_role', 'execute_role', 'project_admin_role', 'inventory_admin_role', 'workflow_admin_role', 'notification_admin_role', 'credential_admin_role', 'job_template_admin_role', 'approval_role', 'execution_environment_admin_role'], related_name='+', to='main.Role'),
),
]

3
awx/main/models/organization.py
View File

@@ -109,7 +109,8 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
'execute_role', 'project_admin_role', 'execute_role', 'project_admin_role',
'inventory_admin_role', 'workflow_admin_role', 'inventory_admin_role', 'workflow_admin_role',
'notification_admin_role', 'credential_admin_role', 'notification_admin_role', 'credential_admin_role',
'job_template_admin_role', 'approval_role',], 'job_template_admin_role', 'approval_role',
'execution_environment_admin_role',],
) )
approval_role = ImplicitRoleField( approval_role = ImplicitRoleField(
parent_role='admin_role', parent_role='admin_role',