External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-17 14:27:42 -02:30
Code Issues Packages Projects Releases Wiki Activity

Patch up missing org access checks in access.py

Browse Source
This commit is contained in:
Aaron Tan
2016-10-13 11:45:34 -04:00
parent 7bd19b8e98
commit 4ae11f6557
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
awx/main/access.py
View File

@@ -871,6 +871,11 @@ class ProjectAccess(BaseAccess):
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk)
if self.user not in org.admin_role:
return False
return self.user in obj.admin_role return self.user in obj.admin_role
def can_delete(self, obj): def can_delete(self, obj):
@@ -2045,11 +2050,16 @@ class CustomInventoryScriptAccess(BaseAccess):
@check_superuser @check_superuser
def can_admin(self, obj, data=None): def can_admin(self, obj, data=None):
org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk)
if self.user not in org.admin_role:
return False
return self.user in obj.admin_role return self.user in obj.admin_role
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
return self.can_admin(obj) return self.can_admin(obj, data=data)
@check_superuser @check_superuser
def can_delete(self, obj): def can_delete(self, obj):