make CustomInvetoryScript a resource.

awx/main/migrations/0008_v300_rbac_changes.py

@@ -141,6 +141,21 @@ class Migration(migrations.Migration):
             name='updater_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
         ),
+        migrations.AddField(
+            model_name='custominventoryscript',
+            name='admin_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
+        migrations.AddField(
+            model_name='custominventoryscript',
+            name='auditor_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
+        migrations.AddField(
+            model_name='custominventoryscript',
+            name='member_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
         migrations.AddField(
             model_name='jobtemplate',
             name='admin_role',

awx/main/models/inventory.py

@@ -1264,7 +1264,7 @@ class InventoryUpdate(UnifiedJob, InventorySourceOptions):
         return True
 
 
-class CustomInventoryScript(CommonModelNameNotUnique):
+class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin):
 
     class Meta:
         app_label = 'main'
@@ -1285,6 +1285,27 @@ class CustomInventoryScript(CommonModelNameNotUnique):
         on_delete=models.SET_NULL,
     )
 
+    admin_role = ImplicitRoleField(
+        role_name='CustomInventory Administrator',
+        role_description='May manage this inventory',
+        parent_role='organization.admin_role',
+        permissions = {'all': True}
+    )
+
+    member_role = ImplicitRoleField(
+        role_name='CustomInventory Member',
+        role_description='May view but not modify this inventory',
+        parent_role='organization.member_role',
+        permissions = {'read': True}
+    )
+
+    auditor_role = ImplicitRoleField(
+        role_name='CustomInventory Auditor',
+        role_description='May view but not modify this inventory',
+        parent_role='organization.auditor_role',
+        permissions = {'read': True}
+    )
+
     def get_absolute_url(self):
         return reverse('api:inventory_script_detail', args=(self.pk,))
 

awx/main/tests/functional/test_rbac_inventory.py

@@ -1,10 +1,25 @@
 import pytest
 
 from awx.main.migrations import _rbac as rbac
-from awx.main.models import Permission, Host
+from awx.main.models import (
+    Permission,
+    Host,
+    CustomInventoryScript,
+)
 from awx.main.access import InventoryAccess
 from django.apps import apps
 
+@pytest.mark.django_db
+def test_custom_inv_script_access(organization, user):
+    u = user('user', False)
+
+    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test')
+    custom_inv.organization = organization
+    assert not custom_inv.accessible_by(u, {'read':True})
+
+    organization.member_role.members.add(u)
+    assert custom_inv.accessible_by(u, {'read':True})
+
 @pytest.mark.django_db
 def test_inventory_admin_user(inventory, permissions, user):
     u = user('admin', False)