Make the managed_by_tower field read-only for EEs (similar to how we deal with it not being settable for Credentials) and add permissions checking for Org EE Admins.

can_add: gets an explicit role to check against, `'execution_environment_admin_role'` can_change: leverages `self.check_related()` for the case where the Org is not changing, but also adds an explicit check for the EE Admin Role when the Org is changing to an explicit different Org.
2026-04-09 12:09:20 -02:30 · 2021-02-19 14:06:01 -05:00
parent 41fb21911e
commit 5b2adc89cf
2 changed files with 18 additions and 15 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1362,6 +1362,7 @@ class ProjectOptionsSerializer(BaseSerializer):

 class ExecutionEnvironmentSerializer(BaseSerializer):
    show_capabilities = ['edit', 'delete']
+    managed_by_tower = serializers.ReadOnlyField()

    class Meta:
        model = ExecutionEnvironment