External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-07 01:17:37 -02:30
Code Issues Packages Projects Releases Wiki Activity

Fix AC-293. Explicitly check for start/cancel permissions on job for access to job start/cancel views.

Browse Source
This commit is contained in:
Chris Church
2013-07-28 13:50:25 -04:00
parent 6f09299284
commit 4c2af3a879
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
awx/main/permissions.py
View File

@@ -14,6 +14,7 @@ from rest_framework import permissions
# AWX # AWX
from awx.main.access import * from awx.main.access import *
from awx.main.models import * from awx.main.models import *
from awx.main.utils import get_object_or_400
logger = logging.getLogger('awx.main.permissions') logger = logging.getLogger('awx.main.permissions')
@@ -34,7 +35,7 @@ class ModelAccessPermission(permissions.BasePermission):
def check_get_permissions(self, request, view, obj=None): def check_get_permissions(self, request, view, obj=None):
if hasattr(view, 'parent_model'): if hasattr(view, 'parent_model'):
parent_obj = view.parent_model.objects.get(pk=view.kwargs['pk']) parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
if not check_user_access(request.user, view.parent_model, 'read', if not check_user_access(request.user, view.parent_model, 'read',
parent_obj): parent_obj):
return False return False
@@ -44,8 +45,16 @@ class ModelAccessPermission(permissions.BasePermission):
def check_post_permissions(self, request, view, obj=None): def check_post_permissions(self, request, view, obj=None):
if hasattr(view, 'parent_model'): if hasattr(view, 'parent_model'):
parent_obj = view.parent_model.objects.get(pk=view.kwargs['pk']) parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
return True return True
elif getattr(view, 'is_job_start', False):
if not obj:
return True
return check_user_access(request.user, view.model, 'start', obj)
elif getattr(view, 'is_job_cancel', False):
if not obj:
return True
return check_user_access(request.user, view.model, 'cancel', obj)
else: else:
if obj: if obj:
return True return True

2
awx/main/views.py
View File

@@ -782,6 +782,7 @@ class JobDetail(RetrieveUpdateDestroyAPIView):
class JobStart(generics.GenericAPIView): class JobStart(generics.GenericAPIView):
model = Job model = Job
is_job_start = True
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
obj = self.get_object() obj = self.get_object()
@@ -807,6 +808,7 @@ class JobStart(generics.GenericAPIView):
class JobCancel(generics.GenericAPIView): class JobCancel(generics.GenericAPIView):
model = Job model = Job
is_job_cancel = True
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
obj = self.get_object() obj = self.get_object()