External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-15 21:37:42 -02:30
Code Issues Packages Projects Releases Wiki Activity

clean up application logic

Browse Source
This commit is contained in:
adamscmRH
2018-04-03 16:05:29 -04:00
parent 9ef1fce5e1
commit 53139b109e
4 changed files with 29 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
awx/main/access.py
View File

@@ -586,7 +586,7 @@ class OAuth2ApplicationAccess(BaseAccess):
- I am a user in the organization of the application. - I am a user in the organization of the application.
I can create OAuth 2 applications when: I can create OAuth 2 applications when:
- I am a superuser. - I am a superuser.
- I am the admin of the organization of the organization of the application. - I am the admin of the organization of the application.
''' '''
model = OAuth2Application model = OAuth2Application
@@ -596,15 +596,11 @@ class OAuth2ApplicationAccess(BaseAccess):
return self.model.objects.filter(organization__in=self.user.organizations) return self.model.objects.filter(organization__in=self.user.organizations)
def can_change(self, obj, data): def can_change(self, obj, data):
if obj.organization in self.user.admin_of_organizations or self.user.is_superuser: return self.user.is_superuser or self.check_related('organization', Organization, data, obj=obj,
if not self.check_related('organization', Organization, data, role_field='admin_role'): role_field='admin_role', mandatory=True)
return False
return True
else:
return False
def can_delete(self, obj): def can_delete(self, obj):
return obj.organization in self.user.admin_of_organizations or self.user.is_superuser return self.user.is_superuser or obj.organization in self.user.admin_of_organizations
def can_add(self, data): def can_add(self, data):
if self.user.is_superuser: if self.user.is_superuser:

2
awx/main/tests/functional/api/test_oauth.py
View File

@@ -9,7 +9,7 @@ from oauth2_provider.models import RefreshToken
@pytest.mark.django_db @pytest.mark.django_db
def test_personal_access_token_creation(oauth_application, post, alice): # TODO: Update this test def test_personal_access_token_creation(oauth_application, post, alice):
url = drf_reverse('api:oauth_authorization_root_view') + 'token/' url = drf_reverse('api:oauth_authorization_root_view') + 'token/'
resp = post( resp = post(
url, url,

38
awx/main/tests/functional/test_rbac_oauth.py
View File

@@ -34,30 +34,34 @@ class TestOAuth2Application:
assert access.can_read(app) is can_access assert access.can_read(app) is can_access
@pytest.mark.parametrize("user_for_access, can_access_list", [ def test_can_edit_delete_app_org_admin(
(0, [True, True]), self, admin, org_admin, org_member, alice, organization
(1, [True, True]),
(2, [False, False]),
(3, [False, False]),
])
def test_can_edit_delete_app(
self, admin, org_admin, org_member, alice, user_for_access, can_access_list, organization
): ):
organization.admin_role.members.add(org_admin)
organization.member_role.members.add(org_member)
user_list = [admin, org_admin, org_member, alice] user_list = [admin, org_admin, org_member, alice]
access = OAuth2ApplicationAccess(user_list[user_for_access]) can_access_list = [True, True, False, False]
app_creation_user_list = [admin, org_admin] for user, can_access in zip(user_list, can_access_list):
for user, can_access in zip(app_creation_user_list, can_access_list):
app = Application.objects.create( app = Application.objects.create(
name='test app for {}'.format(user.username), user=user, name='test app for {}'.format(org_admin.username), user=org_admin,
client_type='confidential', authorization_grant_type='password', organization=organization client_type='confidential', authorization_grant_type='password', organization=organization
) )
access = OAuth2ApplicationAccess(user)
assert access.can_change(app, {}) is can_access
assert access.can_delete(app) is can_access
def test_can_edit_delete_app_admin(
self, admin, org_admin, org_member, alice, organization
):
user_list = [admin, org_admin, org_member, alice]
can_access_list = [True, True, False, False]
for user, can_access in zip(user_list, can_access_list):
app = Application.objects.create(
name='test app for {}'.format(admin.username), user=admin,
client_type='confidential', authorization_grant_type='password', organization=organization
)
access = OAuth2ApplicationAccess(user)
assert access.can_change(app, {}) is can_access assert access.can_change(app, {}) is can_access
assert access.can_delete(app) is can_access assert access.can_delete(app) is can_access
def test_superuser_can_always_create(self, admin, org_admin, org_member, alice): def test_superuser_can_always_create(self, admin, org_admin, org_member, alice):

3
awx/settings/defaults.py
View File

@@ -289,8 +289,9 @@ REST_FRAMEWORK = {
'DEFAULT_PAGINATION_CLASS': 'awx.api.pagination.Pagination', 'DEFAULT_PAGINATION_CLASS': 'awx.api.pagination.Pagination',
'PAGE_SIZE': 25, 'PAGE_SIZE': 25,
'DEFAULT_AUTHENTICATION_CLASSES': ( 'DEFAULT_AUTHENTICATION_CLASSES': (
'awx.api.authentication.LoggedOAuth2Authentication',
'awx.api.authentication.SessionAuthentication', 'awx.api.authentication.SessionAuthentication',
'awx.api.authentication.LoggedOAuth2Authentication',
# 'awx.api.authentication.SessionAuthentication',
'awx.api.authentication.LoggedBasicAuthentication', 'awx.api.authentication.LoggedBasicAuthentication',
), ),
'DEFAULT_PERMISSION_CLASSES': ( 'DEFAULT_PERMISSION_CLASSES': (