mirror of
https://github.com/ansible/awx.git
synced 2026-03-11 22:49:32 -02:30
Adjust ExecutionEnvironmentAccess to account for the new EE admin role
This commit is contained in:
Jeff Bradberry
committed by
Shane McDonald
Shane McDonald
parent
e7bf81883b
commit
5f1da2b923
@@ -1312,7 +1312,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
|
|||||||
"""
|
"""
|
||||||
I can see an execution environment when:
|
I can see an execution environment when:
|
||||||
- I'm a superuser
|
- I'm a superuser
|
||||||
- I'm a member of the organization
|
- I'm a member of the same organization
|
||||||
- it is a global ExecutionEnvironment
|
- it is a global ExecutionEnvironment
|
||||||
I can create/change an execution environment when:
|
I can create/change an execution environment when:
|
||||||
- I'm a superuser
|
- I'm a superuser
|
||||||
@@ -1321,32 +1321,32 @@ class ExecutionEnvironmentAccess(BaseAccess):
|
|||||||
|
|
||||||
model = ExecutionEnvironment
|
model = ExecutionEnvironment
|
||||||
select_related = ('organization',)
|
select_related = ('organization',)
|
||||||
prefetch_related = ('organization__admin_role',)
|
prefetch_related = ('organization__admin_role', 'organization__execution_environment_admin_role')
|
||||||
|
|
||||||
def filtered_queryset(self):
|
def filtered_queryset(self):
|
||||||
return ExecutionEnvironment.objects.filter(
|
return ExecutionEnvironment.objects.filter(
|
||||||
Q(organization__in=Organization.accessible_pk_qs(self.user, 'admin_role')) |
|
Q(organization__in=Organization.accessible_pk_qs(self.user, 'execution_environment_admin_role')) |
|
||||||
Q(organization__isnull=True)
|
Q(organization__isnull=True)
|
||||||
).distinct()
|
).distinct()
|
||||||
|
|
||||||
@check_superuser
|
@check_superuser
|
||||||
def can_add(self, data):
|
def can_add(self, data):
|
||||||
if not data: # So the browseable API will work
|
if not data: # So the browseable API will work
|
||||||
return Organization.accessible_objects(self.user, 'admin_role').exists()
|
return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
|
||||||
return self.check_related('organization', Organization, data)
|
return self.check_related('organization', Organization, data)
|
||||||
|
|
||||||
@check_superuser
|
@check_superuser
|
||||||
def can_change(self, obj, data):
|
def can_change(self, obj, data):
|
||||||
if obj and obj.organization_id is None:
|
if obj and obj.organization_id is None:
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
if self.user not in obj.organization.admin_role:
|
if self.user not in obj.organization.execution_environment_admin_role:
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
org_pk = get_pk_from_dict(data, 'organization')
|
org_pk = get_pk_from_dict(data, 'organization')
|
||||||
if obj and obj.organization_id != org_pk:
|
if obj and obj.organization_id != org_pk:
|
||||||
# Prevent moving an EE to a different organization, unless a superuser or admin on both orgs.
|
# Prevent moving an EE to a different organization, unless a superuser or admin on both orgs.
|
||||||
if obj.organization_id is None or org_pk is None:
|
if obj.organization_id is None or org_pk is None:
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
if self.user not in Organization.objects.get(id=org_pk).admin_role:
|
if self.user not in Organization.objects.get(id=org_pk).execution_environment_admin_role:
|
||||||
raise PermissionDenied
|
raise PermissionDenied
|
||||||
|
|
||||||
return True
|
return True
|
||||||
|
|||||||
Reference in New Issue
Block a user