External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-20 07:17:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

switch WFJT node permissions to execute and use levels

Browse Source
This commit is contained in:
AlanCoding
2016-12-19 11:21:45 -05:00
parent 4f9d2fbde3
commit 4b57aa238a
2 changed files with 23 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
awx/main/access.py
View File

@@ -1396,23 +1396,18 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
return qs return qs
def can_use_prompted_resources(self, data): def can_use_prompted_resources(self, data):
if not self.check_related('credential', Credential, data): return (
return False self.check_related('credential', Credential, data, role_field='use_role') and
if not self.check_related('inventory', Inventory, data): self.check_related('inventory', Inventory, data, role_field='use_role'))
return False
return True
@check_superuser @check_superuser
def can_add(self, data): def can_add(self, data):
if not data: # So the browseable API will work if not data: # So the browseable API will work
return True return True
if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True): return (
return False self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True) and
if not self.check_related('unified_job_template', UnifiedJobTemplate, data): self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role') and
return False self.can_use_prompted_resources(data))
if not self.can_use_prompted_resources(data):
return False
return True
def wfjt_admin(self, obj): def wfjt_admin(self, obj):
if not obj.workflow_job_template: if not obj.workflow_job_template:

20
awx/main/tests/functional/test_rbac_workflow.py
View File

@@ -51,17 +51,29 @@ class TestWorkflowJobTemplateAccess:
@pytest.mark.django_db @pytest.mark.django_db
class TestWorkflowJobTemplateNodeAccess: class TestWorkflowJobTemplateNodeAccess:
def test_jt_access_to_edit(self, wfjt_node, org_admin): def test_no_jt_access_to_edit(self, wfjt_node, org_admin):
# without access to the related job template, admin to the WFJT can
# not change the prompted parameters
access = WorkflowJobTemplateNodeAccess(org_admin) access = WorkflowJobTemplateNodeAccess(org_admin)
assert not access.can_change(wfjt_node, {'job_type': 'scan'}) assert not access.can_change(wfjt_node, {'job_type': 'scan'})
def test_add_JT_no_start_perm(self, wfjt, job_template, rando): def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
wfjt.admin_role.members.add(rando) wfjt.admin_role.members.add(rando)
access = WorkflowJobTemplateAccess(rando) access = WorkflowJobTemplateNodeAccess(rando)
job_template.read_role.members.add(rando) job_template.read_role.members.add(rando)
assert not access.can_add({ assert not access.can_add({
'workflow_job_template': wfjt.pk, 'workflow_job_template': wfjt,
'unified_job_template': job_template.pk}) 'unified_job_template': job_template})
def test_add_node_with_minimum_permissions(self, wfjt, job_template, inventory, rando):
wfjt.admin_role.members.add(rando)
access = WorkflowJobTemplateNodeAccess(rando)
job_template.execute_role.members.add(rando)
inventory.use_role.members.add(rando)
assert access.can_add({
'workflow_job_template': wfjt,
'inventory': inventory,
'unified_job_template': job_template})
def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando): def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
wfjt = wfjt_node.workflow_job_template wfjt = wfjt_node.workflow_job_template