External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-16 05:47:38 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6545 from fosterseth/fix-4198-readd-user-to-org

Browse Source 
Fix adding orphaned user to org

Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
This commit is contained in:
softwarefactory-project-zuul[bot]
2020-04-06 21:10:38 +00:00
committed by GitHub
parent 60d499e11c 843c22c6b1
commit 42705c9eb0
2 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/main/access.py
View File

@@ -11,7 +11,6 @@ from functools import reduce
from django.conf import settings from django.conf import settings
from django.db.models import Q, Prefetch from django.db.models import Q, Prefetch
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.contrib.contenttypes.models import ContentType
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from django.core.exceptions import ObjectDoesNotExist from django.core.exceptions import ObjectDoesNotExist
@@ -642,8 +641,8 @@ class UserAccess(BaseAccess):
# in these cases only superusers can modify orphan users # in these cases only superusers can modify orphan users
return False return False
return not obj.roles.all().exclude( return not obj.roles.all().exclude(
content_type=ContentType.objects.get_for_model(User) ancestors__in=self.user.roles.all()
).filter(ancestors__in=self.user.roles.all()).exists() ).exists()
else: else:
return self.is_all_org_admin(obj) return self.is_all_org_admin(obj)

8
awx/main/tests/functional/test_rbac_role.py
View File

@@ -60,6 +60,8 @@ def test_org_user_role_attach(user, organization, inventory):
''' '''
admin = user('admin') admin = user('admin')
nonmember = user('nonmember') nonmember = user('nonmember')
other_org = Organization.objects.create(name="other_org")
other_org.member_role.members.add(nonmember)
inventory.admin_role.members.add(nonmember) inventory.admin_role.members.add(nonmember)
organization.admin_role.members.add(admin) organization.admin_role.members.add(admin)
@@ -186,13 +188,17 @@ def test_need_all_orgs_to_admin_user(user):
# Orphaned user can be added to member role, only in special cases # Orphaned user can be added to member role, only in special cases
@pytest.mark.django_db @pytest.mark.django_db
def test_orphaned_user_allowed(org_admin, rando, organization): def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
''' '''
We still allow adoption of orphaned* users by assigning them to We still allow adoption of orphaned* users by assigning them to
organization member role, but only in the situation where the organization member role, but only in the situation where the
org admin already posesses indirect access to all of the user's roles org admin already posesses indirect access to all of the user's roles
*orphaned means user is not a member of any organization *orphaned means user is not a member of any organization
''' '''
# give a descendent role to rando, to trigger the conditional
# where all ancestor roles of rando should be in the set of
# org_admin roles.
org_credential.admin_role.members.add(rando)
role_access = RoleAccess(org_admin) role_access = RoleAccess(org_admin)
org_access = OrganizationAccess(org_admin) org_access = OrganizationAccess(org_admin)
assert role_access.can_attach(organization.member_role, rando, 'members', None) assert role_access.can_attach(organization.member_role, rando, 'members', None)