External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-28 14:25:05 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1664 from AlanCoding/more_wfjt_cred_fixes

Browse Source 
Correctly check credential permission on WFJT copy
This commit is contained in:
Alan Rominger
2018-05-10 07:42:49 -04:00
committed by GitHub
parent 1b69f7a376 ec1e94376c
commit 5643505a31
4 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
awx/api/generics.py
View File

@@ -878,6 +878,9 @@ class CopyAPIView(GenericAPIView):
obj, field.name, field_val obj, field.name, field_val
) )
new_obj = model.objects.create(**create_kwargs) new_obj = model.objects.create(**create_kwargs)
logger.debug(six.text_type('Deep copy: Created new object {}({})').format(
new_obj, model
))
# Need to save separatedly because Djang-crum get_current_user would # Need to save separatedly because Djang-crum get_current_user would
# not work properly in non-request-response-cycle context. # not work properly in non-request-response-cycle context.
new_obj.created_by = creater new_obj.created_by = creater

10
awx/api/views.py
View File

@@ -3702,12 +3702,18 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, CopyAPIView):
item = getattr(obj, field_name, None) item = getattr(obj, field_name, None)
if item is None: if item is None:
continue continue
if field_name in ['inventory']: elif field_name in ['inventory']:
if not user.can_access(item.__class__, 'use', item): if not user.can_access(item.__class__, 'use', item):
setattr(obj, field_name, None) setattr(obj, field_name, None)
if field_name in ['unified_job_template']: elif field_name in ['unified_job_template']:
if not user.can_access(item.__class__, 'start', item, validate_license=False): if not user.can_access(item.__class__, 'start', item, validate_license=False):
setattr(obj, field_name, None) setattr(obj, field_name, None)
elif field_name in ['credentials']:
for cred in item.all():
if not user.can_access(cred.__class__, 'use', cred):
logger.debug(six.text_type(
'Deep copy: removing {} from relationship due to permissions').format(cred))
item.remove(cred.pk)
obj.save() obj.save()

2
awx/main/access.py
View File

@@ -1821,7 +1821,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
missing_inventories.append(node.inventory.name) missing_inventories.append(node.inventory.name)
for cred in node.credentials.all(): for cred in node.credentials.all():
if self.user not in cred.use_role: if self.user not in cred.use_role:
missing_credentials.append(node.credential.name) missing_credentials.append(cred.name)
ujt = node.unified_job_template ujt = node.unified_job_template
if ujt and not self.user.can_access(UnifiedJobTemplate, 'start', ujt, validate_license=False): if ujt and not self.user.can_access(UnifiedJobTemplate, 'start', ujt, validate_license=False):
missing_ujt.append(ujt.name) missing_ujt.append(ujt.name)

3
awx/main/tasks.py
View File

@@ -2326,6 +2326,9 @@ def _reconstruct_relationships(copy_mapping):
setattr(new_obj, field_name, related_obj) setattr(new_obj, field_name, related_obj)
elif field.many_to_many: elif field.many_to_many:
for related_obj in getattr(old_obj, field_name).all(): for related_obj in getattr(old_obj, field_name).all():
logger.debug(six.text_type('Deep copy: Adding {} to {}({}).{} relationship').format(
related_obj, new_obj, model, field_name
))
getattr(new_obj, field_name).add(copy_mapping.get(related_obj, related_obj)) getattr(new_obj, field_name).add(copy_mapping.get(related_obj, related_obj))
new_obj.save() new_obj.save()