Fixed up JobAccess.get_queryset to use new RBAC system

2026-01-19 05:31:22 -03:30 · 2016-03-16 11:36:19 -04:00 · 2016-03-16 11:36:19 -04:00 · 598d5ba5ef
commit 598d5ba5ef
parent 8d439c9468
1 changed files with 3 additions and 39 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -819,47 +819,11 @@ class JobAccess(BaseAccess):
        qs = qs.prefetch_related('unified_job_template')
        if self.user.is_superuser:
            return qs
+
        credential_ids = self.user.get_queryset(Credential)
-        base_qs = qs.filter(
+        return qs.filter(
            credential_id__in=credential_ids,
-        )
-        org_admin_ids = base_qs.filter(
-            Q(project__organizations__admins__in=[self.user]) |
-            (Q(project__isnull=True) & Q(job_type=PERM_INVENTORY_SCAN) & Q(inventory__organization__admins__in=[self.user]))
-        )
-
-        allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
-        allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
-        team_ids = Team.objects.filter(member_role__members=self.user)
-
-        # TODO: I think the below queries can be combined
-        deploy_permissions_ids = Permission.objects.filter(
-            Q(user=self.user) | Q(team__in=team_ids),
-            permission_type__in=allowed_deploy,
-        )
-        check_permissions_ids = Permission.objects.filter(
-            Q(user=self.user) | Q(team__in=team_ids),
-            permission_type__in=allowed_check,
-        )
-
-        perm_deploy_ids = base_qs.filter(
-            job_type=PERM_INVENTORY_DEPLOY,
-            inventory__permissions__in=deploy_permissions_ids,
-            project__permissions__in=deploy_permissions_ids,
-            inventory__permissions__pk=F('project__permissions__pk'),
-        )
-
-        perm_check_ids = base_qs.filter(
-            job_type=PERM_INVENTORY_CHECK,
-            inventory__permissions__in=check_permissions_ids,
-            project__permissions__in=check_permissions_ids,
-            inventory__permissions__pk=F('project__permissions__pk'),
-        )
-
-        return base_qs.filter(
-            Q(id__in=org_admin_ids) |
-            Q(id__in=perm_deploy_ids) |
-            Q(id__in=perm_check_ids)
+            job_template__in=JobTemplate.accessible_objects(self.user, {'read': True})
        )

    def can_add(self, data):