External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-20 15:27:47 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4578 from AlanCoding/access_list_perm

Browse Source 
Use ParentMixin for access_list permissions check
This commit is contained in:
Alan Rominger
2017-01-05 14:53:47 -05:00
committed by GitHub
parent 8ce97bae91 4e135bb406
commit 54980d09e3
4 changed files with 58 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/api/generics.py
View File

@@ -559,14 +559,12 @@ class DestroyAPIView(GenericAPIView, generics.DestroyAPIView):
pass pass
class ResourceAccessList(ListAPIView): class ResourceAccessList(ParentMixin, ListAPIView):
serializer_class = ResourceAccessListElementSerializer serializer_class = ResourceAccessListElementSerializer
def get_queryset(self): def get_queryset(self):
self.object_id = self.kwargs['pk'] obj = self.get_parent_object()
resource_model = getattr(self, 'resource_model')
obj = get_object_or_404(resource_model, pk=self.object_id)
content_type = ContentType.objects.get_for_model(obj) content_type = ContentType.objects.get_for_model(obj)
roles = set(Role.objects.filter(content_type=content_type, object_id=obj.id)) roles = set(Role.objects.filter(content_type=content_type, object_id=obj.id))

3
awx/api/serializers.py
View File

@@ -1586,8 +1586,7 @@ class ResourceAccessListElementSerializer(UserSerializer):
the resource. the resource.
''' '''
ret = super(ResourceAccessListElementSerializer, self).to_representation(user) ret = super(ResourceAccessListElementSerializer, self).to_representation(user)
object_id = self.context['view'].object_id obj = self.context['view'].get_parent_object()
obj = self.context['view'].resource_model.objects.get(pk=object_id)
if self.context['view'].request is not None: if self.context['view'].request is not None:
requesting_user = self.context['view'].request.user requesting_user = self.context['view'].request.user
else: else:

16
awx/api/views.py
View File

@@ -872,7 +872,7 @@ class OrganizationNotificationTemplatesSuccessList(SubListCreateAttachDetachAPIV
class OrganizationAccessList(ResourceAccessList): class OrganizationAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = Organization parent_model = Organization
new_in_300 = True new_in_300 = True
@@ -1007,7 +1007,7 @@ class TeamActivityStreamList(ActivityStreamEnforcementMixin, SubListAPIView):
class TeamAccessList(ResourceAccessList): class TeamAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = Team parent_model = Team
new_in_300 = True new_in_300 = True
@@ -1201,7 +1201,7 @@ class ProjectUpdateNotificationsList(SubListAPIView):
class ProjectAccessList(ResourceAccessList): class ProjectAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = Project parent_model = Project
new_in_300 = True new_in_300 = True
@@ -1415,7 +1415,7 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
class UserAccessList(ResourceAccessList): class UserAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = User parent_model = User
new_in_300 = True new_in_300 = True
@@ -1522,7 +1522,7 @@ class CredentialActivityStreamList(ActivityStreamEnforcementMixin, SubListAPIVie
class CredentialAccessList(ResourceAccessList): class CredentialAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = Credential parent_model = Credential
new_in_300 = True new_in_300 = True
@@ -1616,7 +1616,7 @@ class InventoryActivityStreamList(ActivityStreamEnforcementMixin, SubListAPIView
class InventoryAccessList(ResourceAccessList): class InventoryAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = Inventory parent_model = Inventory
new_in_300 = True new_in_300 = True
@@ -2690,7 +2690,7 @@ class JobTemplateJobsList(SubListCreateAPIView):
class JobTemplateAccessList(ResourceAccessList): class JobTemplateAccessList(ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = JobTemplate parent_model = JobTemplate
new_in_300 = True new_in_300 = True
@@ -3036,7 +3036,7 @@ class WorkflowJobTemplateNotificationTemplatesSuccessList(WorkflowsEnforcementMi
class WorkflowJobTemplateAccessList(WorkflowsEnforcementMixin, ResourceAccessList): class WorkflowJobTemplateAccessList(WorkflowsEnforcementMixin, ResourceAccessList):
model = User # needs to be User for AccessLists's model = User # needs to be User for AccessLists's
resource_model = WorkflowJobTemplate parent_model = WorkflowJobTemplate
new_in_310 = True new_in_310 = True

48
awx/main/tests/unit/api/test_generics.py
View File

@@ -6,9 +6,16 @@ import mock
# DRF # DRF
from rest_framework import status from rest_framework import status
from rest_framework.response import Response from rest_framework.response import Response
from rest_framework.exceptions import PermissionDenied
# AWX # AWX
from awx.api.generics import ParentMixin, SubListCreateAttachDetachAPIView, DeleteLastUnattachLabelMixin from awx.api.generics import (
ParentMixin,
SubListCreateAttachDetachAPIView,
DeleteLastUnattachLabelMixin,
ResourceAccessList
)
from awx.main.models import Organization
@pytest.fixture @pytest.fixture
@@ -29,6 +36,11 @@ def mock_response_new(mocker):
return m return m
@pytest.fixture
def mock_organization():
return Organization(pk=4, name="Unsaved Org")
@pytest.fixture @pytest.fixture
def parent_relationship_factory(mocker): def parent_relationship_factory(mocker):
def rf(serializer_class, relationship_name, relationship_value=mocker.Mock()): def rf(serializer_class, relationship_name, relationship_value=mocker.Mock()):
@@ -178,3 +190,37 @@ class TestParentMixin:
get_object_or_404.assert_called_with(parent_mixin.parent_model, **parent_mixin.kwargs) get_object_or_404.assert_called_with(parent_mixin.parent_model, **parent_mixin.kwargs)
assert get_object_or_404.return_value == return_value assert get_object_or_404.return_value == return_value
class TestResourceAccessList:
def mock_request(self):
return mock.MagicMock(
user=mock.MagicMock(
is_anonymous=mock.MagicMock(return_value=False),
is_superuser=False
), method='GET')
def mock_view(self):
view = ResourceAccessList()
view.parent_model = Organization
view.kwargs = {'pk': 4}
return view
def test_parent_access_check_failed(self, mocker, mock_organization):
with mocker.patch('awx.api.permissions.get_object_or_400', return_value=mock_organization):
mock_access = mocker.MagicMock(__name__='for logger', return_value=False)
with mocker.patch('awx.main.access.BaseAccess.can_read', mock_access):
with pytest.raises(PermissionDenied):
self.mock_view().check_permissions(self.mock_request())
mock_access.assert_called_once_with(mock_organization)
def test_parent_access_check_worked(self, mocker, mock_organization):
with mocker.patch('awx.api.permissions.get_object_or_400', return_value=mock_organization):
mock_access = mocker.MagicMock(__name__='for logger', return_value=True)
with mocker.patch('awx.main.access.BaseAccess.can_read', mock_access):
self.mock_view().check_permissions(self.mock_request())
mock_access.assert_called_once_with(mock_organization)