Merge pull request #1441 from wwitzel3/rbac-bug-1423

make CustomInvetoryScript a resource.
2026-01-13 11:00:03 -03:30 · 2016-04-07 13:43:04 -04:00 · 2016-04-07 13:43:04 -04:00 · 62ba0b7488
commit 62ba0b7488
parent 2466fd0ca5 4a41c0f3b4
3 changed files with 53 additions and 2 deletions
--- a/awx/main/migrations/0008_v300_rbac_changes.py
+++ b/awx/main/migrations/0008_v300_rbac_changes.py
@ -141,6 +141,21 @@ class Migration(migrations.Migration):
            name='updater_role',
            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
        ),
+        migrations.AddField(
+            model_name='custominventoryscript',
+            name='admin_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
+        migrations.AddField(
+            model_name='custominventoryscript',
+            name='auditor_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
+        migrations.AddField(
+            model_name='custominventoryscript',
+            name='member_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', to='main.Role', null=b'True'),
+        ),
        migrations.AddField(
            model_name='jobtemplate',
            name='admin_role',
--- a/awx/main/models/inventory.py
+++ b/awx/main/models/inventory.py
@ -1264,7 +1264,7 @@ class InventoryUpdate(UnifiedJob, InventorySourceOptions):
        return True


-class CustomInventoryScript(CommonModelNameNotUnique):
+class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin):

    class Meta:
        app_label = 'main'
@ -1285,6 +1285,27 @@ class CustomInventoryScript(CommonModelNameNotUnique):
        on_delete=models.SET_NULL,
    )

+    admin_role = ImplicitRoleField(
+        role_name='CustomInventory Administrator',
+        role_description='May manage this inventory',
+        parent_role='organization.admin_role',
+        permissions = {'all': True}
+    )
+
+    member_role = ImplicitRoleField(
+        role_name='CustomInventory Member',
+        role_description='May view but not modify this inventory',
+        parent_role='organization.member_role',
+        permissions = {'read': True}
+    )
+
+    auditor_role = ImplicitRoleField(
+        role_name='CustomInventory Auditor',
+        role_description='May view but not modify this inventory',
+        parent_role='organization.auditor_role',
+        permissions = {'read': True}
+    )
+
    def get_absolute_url(self):
        return reverse('api:inventory_script_detail', args=(self.pk,))

--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@ -1,10 +1,25 @@
 import pytest

 from awx.main.migrations import _rbac as rbac
-from awx.main.models import Permission, Host
+from awx.main.models import (
+    Permission,
+    Host,
+    CustomInventoryScript,
+)
 from awx.main.access import InventoryAccess
 from django.apps import apps

+@pytest.mark.django_db
+def test_custom_inv_script_access(organization, user):
+    u = user('user', False)
+
+    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test')
+    custom_inv.organization = organization
+    assert not custom_inv.accessible_by(u, {'read':True})
+
+    organization.member_role.members.add(u)
+    assert custom_inv.accessible_by(u, {'read':True})
+
@pytest.mark.django_db
 def test_inventory_admin_user(inventory, permissions, user):
    u = user('admin', False)