External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-17 06:17:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

Optimized (user|team)/:n/roles/

Browse Source
This commit is contained in:
Akita Noek
2016-04-25 14:07:32 -04:00
parent 9df157c971
commit 4c15374b05
2 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
awx/api/views.py
View File

@@ -816,7 +816,8 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
def get_queryset(self): def get_queryset(self):
team = Team.objects.get(pk=self.kwargs['pk']) team = Team.objects.get(pk=self.kwargs['pk'])
return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user)) #return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user))
return Role.filter_visible_roles(self.request.user, team.member_role.children.all())
# XXX: Need to enforce permissions # XXX: Need to enforce permissions
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
@@ -1082,8 +1083,10 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
permission_classes = (IsAuthenticated,) permission_classes = (IsAuthenticated,)
def get_queryset(self): def get_queryset(self):
#u = User.objects.get(pk=self.kwargs['pk']) u = get_object_or_404(User, pk=self.kwargs['pk'])
return Role.visible_roles(self.request.user).filter(members__in=[int(self.kwargs['pk']), ]) if not self.request.user.can_access(User, 'read', u):
raise PermissionDenied()
return Role.filter_visible_roles(self.request.user, u.roles.all())
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
# Forbid implicit role creation here # Forbid implicit role creation here

21
awx/main/models/rbac.py
View File

@@ -357,6 +357,7 @@ class Role(models.Model):
'roles_table': Role._meta.db_table, 'roles_table': Role._meta.db_table,
'ids': ','.join(str(x) for x in user.roles.values_list('id', flat=True)) 'ids': ','.join(str(x) for x in user.roles.values_list('id', flat=True))
} }
qs = Role.objects.extra( qs = Role.objects.extra(
where = [''' where = ['''
%(roles_table)s.id IN ( %(roles_table)s.id IN (
@@ -368,6 +369,26 @@ class Role(models.Model):
) )
return qs return qs
@staticmethod
def filter_visible_roles(user, roles_qs):
sql_params = {
'ancestors_table': Role.ancestors.through._meta.db_table,
'parents_table': Role.parents.through._meta.db_table,
'roles_table': Role._meta.db_table,
'ids': ','.join(str(x) for x in user.roles.all().values_list('id', flat=True))
}
qs = roles_qs.extra(
where = ['''
EXISTS (
SELECT 1 FROM
%(ancestors_table)s
WHERE (descendent_id = %(roles_table)s.id AND ancestor_id IN (%(ids)s))
OR (ancestor_id = %(roles_table)s.id AND descendent_id IN (%(ids)s))
) ''' % sql_params]
)
return qs
@staticmethod @staticmethod
def singleton(name): def singleton(name):
role, _ = Role.objects.get_or_create(singleton_name=name, role_field=name) role, _ = Role.objects.get_or_create(singleton_name=name, role_field=name)