AC-688 Fixed error adding team credential, added test.

2026-01-12 18:40:01 -03:30 · 2013-11-20 16:48:57 -05:00 · 2013-11-20 16:48:57 -05:00 · 4f46ad63db
commit 4f46ad63db
parent 9f40a6c8b4
3 changed files with 19 additions and 5 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -746,7 +746,6 @@ class PermissionSerializer(BaseSerializer):
            res['inventory']   = reverse('api:inventory_detail', args=(obj.inventory.pk,))
        return res

-
    def validate(self, attrs):
        # Can only set either user or team.
        if attrs['user'] and attrs['team']:
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -521,12 +521,12 @@ class CredentialAccess(BaseAccess):
    def can_add(self, data):
        if self.user.is_superuser:
            return True
-        if 'user' in data:
-            user_pk = get_pk_from_dict(data, 'user')
+        user_pk = get_pk_from_dict(data, 'user')
+        if user_pk:
            user_obj = get_object_or_400(User, pk=user_pk)
            return self.user.can_access(User, 'change', user_obj, None)
-        if 'team' in data:
-            team_pk = get_pk_from_dict(data, 'team')
+        team_pk = get_pk_from_dict(data, 'team')
+        if team_pk:
            team_obj = get_object_or_400(Team, pk=team_pk)
            return self.user.can_access(Team, 'change', team_obj, None)
        return False
@ -534,6 +534,8 @@ class CredentialAccess(BaseAccess):
    def can_change(self, obj, data):
        if self.user.is_superuser:
            return True
+        if not self.can_add(data):
+            return False
        if self.user == obj.created_by:
            return True
        if obj.user:
--- a/awx/main/tests/projects.py
+++ b/awx/main/tests/projects.py
@ -518,6 +518,19 @@ class ProjectsTest(BaseTest):
            data['ssh_key_unlock'] = TEST_SSH_KEY_DATA_UNLOCK
            self.post(url, data, expect=201)

+        # Test post as organization admin where team is part of org, but user
+        # creating credential is not a member of the team.  UI may pass user
+        # as an empty string instead of None.
+        normal_org = self.normal_django_user.admin_of_organizations.all()[0]
+        org_team = normal_org.teams.create(name='new empty team')
+        with self.current_user(self.normal_django_user):
+            data = {
+                'name': 'my team cred',
+                'team': org_team.pk,
+                'user': '',
+            }
+            self.post(url, data, expect=201)
+
        # FIXME: Check list as other users.

        # can edit a credential