Fix display of indirect access permissions.

For indirect roles, we need to actually show the derived roles, not the details of the role that gives us the derived roles. This means that we can get multiple derived roles from a single indirect role, so we have to expand the list.
2026-01-18 05:01:19 -03:30 · 2019-08-20 20:04:38 -04:00 · 2019-08-20 20:04:38 -04:00 · 444f024bb0
commit 444f024bb0
parent 4bdbb88934
1 changed files with 33 additions and 2 deletions
--- a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
@ -21,9 +21,40 @@ export default
                        }))
                        .concat(scope.deleteTarget.summary_fields
                            .indirect_access.map((i) => {
-                                i.role.explicit = false;
-                                return i.role;
+                                // Indirect access roles describe the role on another object that
+                                // gives the user access to this object, so we must introspect them.
+                                //
+                                // If the user has indirect admin access, they are system admin, org admin,
+                                // or a <resource_type>_admin. Return the role name directly.
+                                if (i.descendant_roles.includes('admin_role')) {
+                                    i.role.explicit = false;
+                                    return i.role;
+                                }
+                                // Return other specific roles that grant read access
+                                if (i.role.name.includes('Auditor')) {
+                                    i.role.explicit = false;
+                                    return i.role;
+                                }
+                                // Handle more complex cases
+                                // This includes roles team<->team roles, and roles an org admin
+                                // inherits from teams in their organization.
+                                //
+                                // For these, we want to describe the actual permissions for the
+                                // object we are retrieving the access_list for, so replace
+                                // the role name with the descendant_roles.
+                                let indirect_roles = [];
+                                i.descendant_roles.forEach((descendant_role) => {
+                                    let r = _.cloneDeep(i.role);
+                                    r.name = descendant_role.replace('_role','');
+                                    r.explicit = false;
+                                    // Do not include the read role unless it is the only descendant role.
+                                    if (r.name !== 'read' || i.descendant_roles.length === 1) {
+                                        indirect_roles.push(r);
+                                    }
+                                });
+                                return indirect_roles;
                        }))
+                        .flat()
                        .filter((role) => {
                            return Boolean(attrs.teamRoleList) === Boolean(role.team_id);
                        })