protect launch endpoint against certain falsy values

2026-01-17 12:41:19 -03:30 · 2016-06-15 10:52:25 -04:00 · 2016-06-15 10:52:25 -04:00 · 5af6d14f27
commit 5af6d14f27
parent 490425970a
2 changed files with 3 additions and 3 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -2290,7 +2290,7 @@ class JobLaunchSerializer(BaseSerializer):
        data = self.context.get('data')

        for field in obj.resources_needed_to_start:
-            if not (field in attrs and obj._ask_for_vars_dict().get(field, False)):
+            if not (attrs.get(field, False) and obj._ask_for_vars_dict().get(field, False)):
                errors[field] = "Job Template '%s' is missing or undefined." % field

        if (not obj.ask_credential_on_launch) or (not attrs.get('credential', None)):
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -2325,12 +2325,12 @@ class JobTemplateLaunch(RetrieveAPIView, GenericAPIView):
        prompted_fields, ignored_fields = obj._accept_or_ignore_job_kwargs(**request.data)

        if 'credential' in prompted_fields and prompted_fields['credential'] != getattrd(obj, 'credential.pk', None):
-            new_credential = Credential.objects.get(pk=prompted_fields['credential'])
+            new_credential = get_object_or_400(Credential, pk=get_pk_from_dict(prompted_fields, 'credential'))
            if request.user not in new_credential.use_role:
                raise PermissionDenied()

        if 'inventory' in prompted_fields and prompted_fields['inventory'] != getattrd(obj, 'inventory.pk', None):
-            new_inventory = Inventory.objects.get(pk=prompted_fields['inventory'])
+            new_inventory = get_object_or_400(Inventory, pk=get_pk_from_dict(prompted_fields, 'inventory'))
            if request.user not in new_inventory.use_role:
                raise PermissionDenied()