Fixed up JobAccess.get_queryset to use new RBAC system

2026-05-13 20:37:39 -02:30 · 2016-03-16 11:36:19 -04:00
parent 8d439c9468
commit 598d5ba5ef
1 changed files with 3 additions and 39 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -819,47 +819,11 @@ class JobAccess(BaseAccess):
        qs = qs.prefetch_related('unified_job_template')
        if self.user.is_superuser:
            return qs
        credential_ids = self.user.get_queryset(Credential)
-        base_qs = qs.filter(
+        return qs.filter(
            credential_id__in=credential_ids,
-        )
+            job_template__in=JobTemplate.accessible_objects(self.user, {'read': True})
        org_admin_ids = base_qs.filter(
            Q(project__organizations__admins__in=[self.user]) |
            (Q(project__isnull=True) & Q(job_type=PERM_INVENTORY_SCAN) & Q(inventory__organization__admins__in=[self.user]))
        )
        allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
        allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
        team_ids = Team.objects.filter(member_role__members=self.user)
        # TODO: I think the below queries can be combined
        deploy_permissions_ids = Permission.objects.filter(
            Q(user=self.user) | Q(team__in=team_ids),
            permission_type__in=allowed_deploy,
        )
        check_permissions_ids = Permission.objects.filter(
            Q(user=self.user) | Q(team__in=team_ids),
            permission_type__in=allowed_check,
        )
        perm_deploy_ids = base_qs.filter(
            job_type=PERM_INVENTORY_DEPLOY,
            inventory__permissions__in=deploy_permissions_ids,
            project__permissions__in=deploy_permissions_ids,
            inventory__permissions__pk=F('project__permissions__pk'),
        )
        perm_check_ids = base_qs.filter(
            job_type=PERM_INVENTORY_CHECK,
            inventory__permissions__in=check_permissions_ids,
            project__permissions__in=check_permissions_ids,
            inventory__permissions__pk=F('project__permissions__pk'),
        )
        return base_qs.filter(
            Q(id__in=org_admin_ids) |
            Q(id__in=perm_deploy_ids) |
            Q(id__in=perm_check_ids)
        )
    def can_add(self, data):