From 5af6d14f279560f23c545b7a350238d59692f10c Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Wed, 15 Jun 2016 10:52:25 -0400 Subject: [PATCH] protect launch endpoint against certain falsy values --- awx/api/serializers.py | 2 +- awx/api/views.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/awx/api/serializers.py b/awx/api/serializers.py index dff4648ff7..177dc29ca6 100644 --- a/awx/api/serializers.py +++ b/awx/api/serializers.py @@ -2290,7 +2290,7 @@ class JobLaunchSerializer(BaseSerializer): data = self.context.get('data') for field in obj.resources_needed_to_start: - if not (field in attrs and obj._ask_for_vars_dict().get(field, False)): + if not (attrs.get(field, False) and obj._ask_for_vars_dict().get(field, False)): errors[field] = "Job Template '%s' is missing or undefined." % field if (not obj.ask_credential_on_launch) or (not attrs.get('credential', None)): diff --git a/awx/api/views.py b/awx/api/views.py index 2f1ef6cd78..0133af0b2d 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -2325,12 +2325,12 @@ class JobTemplateLaunch(RetrieveAPIView, GenericAPIView): prompted_fields, ignored_fields = obj._accept_or_ignore_job_kwargs(**request.data) if 'credential' in prompted_fields and prompted_fields['credential'] != getattrd(obj, 'credential.pk', None): - new_credential = Credential.objects.get(pk=prompted_fields['credential']) + new_credential = get_object_or_400(Credential, pk=get_pk_from_dict(prompted_fields, 'credential')) if request.user not in new_credential.use_role: raise PermissionDenied() if 'inventory' in prompted_fields and prompted_fields['inventory'] != getattrd(obj, 'inventory.pk', None): - new_inventory = Inventory.objects.get(pk=prompted_fields['inventory']) + new_inventory = get_object_or_400(Inventory, pk=get_pk_from_dict(prompted_fields, 'inventory')) if request.user not in new_inventory.use_role: raise PermissionDenied()