Add more RBAC, filter out AJT/AJs from unified jobs lists

Comment out placeholder in serializer

awx/api/serializers.py

@@ -3446,9 +3446,12 @@ class WorkflowApprovalTemplateSerializer(UnifiedJobTemplateSerializer):
 
         res.update(dict(
             jobs = self.reverse('api:workflow_approval_template_jobs_list', kwargs={'pk': obj.pk}),
-            notification_templates_needs_approval = self.reverse('api:workflow_approval_template_notification_templates_needs_approval', kwargs={'pk': obj.pk}),
-            notification_templates_success = self.reverse('api:workflow_approval_template_notification_templates_success_list', kwargs={'pk': obj.pk}),
-            notification_templates_error = self.reverse('api:workflow_approval_template_notification_templates_error_list', kwargs={'pk': obj.pk}),
+            # &&&&&& Placeholder for notification things!
+            # notification_templates_started = self.reverse('api:workflow_approval_template_notification_templates_started_list', kwargs={'pk': obj.pk}),
+            # notification_templates_needs_approval = self.reverse(
+            #'api:workflow_approval_template_notification_templates_needs_approval_list', kwargs={'pk': obj.pk}),
+            # notification_templates_success = self.reverse('api:workflow_approval_template_notification_templates_success_list', kwargs={'pk': obj.pk}),
+            # notification_templates_error = self.reverse('api:workflow_approval_template_notification_templates_error_list', kwargs={'pk': obj.pk}),
         ))
         return res
 

awx/api/urls/workflow_approval_template.py

@@ -6,21 +6,12 @@ from django.conf.urls import url
 from awx.api.views import (
     WorkflowApprovalTemplateDetail,
     WorkflowApprovalTemplateJobsList,
-    WorkflowApprovalTemplateNotificationTemplatesErrorList,
-    WorkflowApprovalTemplateNotificationTemplatesNeedsApprovalList,
-    WorkflowApprovalTemplateNotificationTemplatesSuccessList,
 )
 
 
 urls = [
     url(r'^(?P<pk>[0-9]+)/$', WorkflowApprovalTemplateDetail.as_view(), name='workflow_approval_template_detail'),
     url(r'^(?P<pk>[0-9]+)/approvals/$', WorkflowApprovalTemplateJobsList.as_view(), name='workflow_approval_template_jobs_list'),
-    url(r'^(?P<pk>[0-9]+)/notification_templates_needs_approval/$', WorkflowApprovalTemplateNotificationTemplatesNeedsApprovalList.as_view(),
-        name='workflow_approval_template_notification_templates_needs_approval'),
-    url(r'^(?P<pk>[0-9]+)/notification_templates_error/$', WorkflowApprovalTemplateNotificationTemplatesErrorList.as_view(),
-        name='workflow_approval_template_notification_templates_error_list'),
-    url(r'^(?P<pk>[0-9]+)/notification_templates_success/$', WorkflowApprovalTemplateNotificationTemplatesSuccessList.as_view(),
-        name='workflow_approval_template_notification_templates_success_list'),
 ]
 
 __all__ = ['urls']

awx/api/views/__init__.py

@@ -4427,28 +4427,6 @@ class WorkflowApprovalTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpda
     serializer_class = serializers.WorkflowApprovalTemplateSerializer
 
 
-class WorkflowApprovalTemplateNotificationTemplatesAnyList(SubListCreateAttachDetachAPIView):
-
-    model = models.NotificationTemplate
-    serializer_class = serializers.NotificationTemplateSerializer
-    parent_model = models.WorkflowApprovalTemplate
-
-
-class WorkflowApprovalTemplateNotificationTemplatesNeedsApprovalList(WorkflowApprovalTemplateNotificationTemplatesAnyList):
-
-    relationship = 'notification_templates_needs_approval'
-
-
-class WorkflowApprovalTemplateNotificationTemplatesErrorList(WorkflowApprovalTemplateNotificationTemplatesAnyList):
-
-    relationship = 'notification_templates_error'
-
-
-class WorkflowApprovalTemplateNotificationTemplatesSuccessList(WorkflowApprovalTemplateNotificationTemplatesAnyList):
-
-    relationship = 'notification_templates_success'
-
-
 class WorkflowApprovalTemplateJobsList(SubListAPIView):
 
     model = models.WorkflowApproval

awx/main/access.py

@@ -2795,11 +2795,13 @@ class WorkflowApprovalAccess(BaseAccess):
             unified_job_node__in=WorkflowJobNode.accessible_pk_qs(
                 self.user, 'read_role'))
 
-    # &&&&&&
-    # def can_approve_or_deny(self, obj):
-    #     if self.user.is_superuser: or "self.user.approval_role"?
-    #         return True
-    #     return self.can_change(obj, ????)
+    def get_queryset(self):
+        return super(UnifiedJobTemplateAccess, self).get_queryset().exclude(
+            workflowapprovaltemplate__isnull=False)
+
+    def can_approve_or_deny(self, obj):
+        if self.user.approval_role:
+            return True
 
 
 class WorkflowApprovalTemplateAccess(BaseAccess):
@@ -2825,6 +2827,10 @@ class WorkflowApprovalTemplateAccess(BaseAccess):
             workflowjobtemplatenodes__workflow_job_template__in=WorkflowJobTemplate.accessible_pk_qs(
                 self.user, 'read_role'))
 
+    def get_queryset(self):
+        return super(UnifiedJobAccess, self).get_queryset().exclude(
+            workflowapproval__isnull=False)
+
 
 for cls in BaseAccess.__subclasses__():
     access_registry[cls.model] = cls

awx/main/migrations/0083_v360_workflow_approval.py

@@ -8,7 +8,7 @@ import django.db.models.deletion
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('main', '0081_v360_notify_on_start'),
+        ('main', '0082_v360_workflowapproval'),
     ]
 
     operations = [

awx/main/models/__init__.py

@@ -174,7 +174,7 @@ def o_auth2_token_get_absolute_url(self, request=None):
 
 
 OAuth2AccessToken.add_to_class('get_absolute_url', o_auth2_token_get_absolute_url)
-# &&&&&& Add model here
+
 from awx.main.registrar import activity_stream_registrar # noqa
 activity_stream_registrar.connect(Organization)
 activity_stream_registrar.connect(Inventory)
@@ -202,8 +202,8 @@ activity_stream_registrar.connect(User)
 activity_stream_registrar.connect(WorkflowJobTemplate)
 activity_stream_registrar.connect(WorkflowJobTemplateNode)
 activity_stream_registrar.connect(WorkflowJob)
-# activity_stream_registrar.connect(WorkflowApproval) &&&&&&
-# activity_stream_registrar.connect(WorkflowApprovalTemplate)
+activity_stream_registrar.connect(WorkflowApproval)
+activity_stream_registrar.connect(WorkflowApprovalTemplate)
 activity_stream_registrar.connect(OAuth2Application)
 activity_stream_registrar.connect(OAuth2AccessToken)
 

awx/main/models/activity_stream.py

@@ -66,6 +66,9 @@ class ActivityStream(models.Model):
     workflow_job_node = models.ManyToManyField("WorkflowJobNode", blank=True)
     workflow_job_template = models.ManyToManyField("WorkflowJobTemplate", blank=True)
     workflow_job = models.ManyToManyField("WorkflowJob", blank=True)
+#   Possibly adding workflow_approval-related fields here?? &&&&&&
+#    workflow_approval_template = models.ManyToManyField("WorkflowApprovalTemplate", blank=True)
+#    workflow_approval = models.ManyToManyField("WorkflowApproval", blank=True)
     unified_job_template = models.ManyToManyField("UnifiedJobTemplate", blank=True, related_name='activity_stream_as_unified_job_template+')
     unified_job = models.ManyToManyField("UnifiedJob", blank=True, related_name='activity_stream_as_unified_job+')
     ad_hoc_command = models.ManyToManyField("AdHocCommand", blank=True)

awx/main/models/base.py

@@ -392,13 +392,6 @@ class NotificationFieldsModel(BaseModel):
         related_name='%(class)s_notification_templates_for_started'
     )
 
-    # &&&&&& Placeholder for workflow pause/approve notifications
-    # notification_templates_needs_approval = models.ManyToManyField(
-    #     "NotificationTemplate",
-    #     blank=True,
-    #     related_name='%(class)s_notification_templates_for_needs_approval'
-    # )
-
 
 def prevent_search(relation):
     """

awx/main/models/workflow.py

@@ -636,31 +636,6 @@ class WorkflowApprovalTemplate(UnifiedJobTemplate):
     def get_absolute_url(self, request=None):
         return reverse('api:workflow_approval_template_detail', kwargs={'pk': self.pk}, request=request)
 
-    # @property
-    # def notification_templates(self):
-    #     # Return all notification_templates defined on the Job Template, on the Project, and on the Organization for each trigger type
-    #     base_notification_templates = NotificationTemplate.objects.all()
-    #     error_notification_templates = list(base_notification_templates.filter(
-    #         unifiedjobtemplate_notification_templates_for_errors__in=[self]))
-    #     needs_approval_notification_templates = list(base_notification_templates.filter(
-    #         notification_templates_needs_approval__in=[self]))
-    #     success_notification_templates = list(base_notification_templates.filter(
-    #         unifiedjobtemplate_notification_templates_for_success__in=[self]))
-    #     return dict(error=list(error_notification_templates),
-    #                 needs_approval=list(needs_approval_notification_templates),
-    #                 success=list(success_notification_templates))
-# &&&&&& Approval nodes don't have orgs!
-        # if self.project is not None and self.project.organization is not None:
-        #     error_notification_templates = set(error_notification_templates + list(base_notification_templates.filter(
-        #         organization_notification_templates_for_errors=self.project.organization)))
-        #     started_notification_templates = set(started_notification_templates + list(base_notification_templates.filter(
-        #         organization_notification_templates_for_started=self.project.organization)))
-        #     success_notification_templates = set(success_notification_templates + list(base_notification_templates.filter(
-        #         organization_notification_templates_for_success=self.project.organization)))
-        # return dict(error=list(error_notification_templates),
-        #             needs_approval=list(needs_approval_notification_templates),
-        #             success=list(success_notification_templates))
-
 
 class WorkflowApproval(UnifiedJob):
     class Meta:

awx/main/scheduler/task_manager.py

@@ -23,7 +23,6 @@ from awx.main.models import (
     Project,
     ProjectUpdate,
     SystemJob,
-    # &&&&&& WorkflowApproval,
     WorkflowJob,
     WorkflowJobTemplate
 )
@@ -239,11 +238,6 @@ class TaskManager():
                 task.send_notification_templates('running')
                 logger.debug('Transitioning %s to running status.', task.log_format)
                 schedule_task_manager()
-            # elif type(task) is WorkflowApproval: (&&&&&& placeholder for notification work)
-            #     task.status = 'pending'
-            #     task.send_notification_templates('pending')
-            #     logger.debug('Transitioning %s to pending status.', task.log_format)
-            #     schedule_task_manager()
             elif not task.supports_isolation() and rampart_group.controller_id:
                 # non-Ansible jobs on isolated instances run on controller
                 task.instance_group = rampart_group.controller

awx/main/signals.py

@@ -430,6 +430,8 @@ def model_serializer_mapping():
         models.Label: serializers.LabelSerializer,
         models.WorkflowJobTemplate: serializers.WorkflowJobTemplateWithSpecSerializer,
         models.WorkflowJobTemplateNode: serializers.WorkflowJobTemplateNodeSerializer,
+        models.WorkflowApproval: serializers.WorkflowApprovalSerializer,
+        models.WorkflowApprovalTemplate: serializers.WorkflowApprovalTemplateSerializer,  # &&&&&&
         models.WorkflowJob: serializers.WorkflowJobSerializer,
         models.OAuth2AccessToken: serializers.OAuth2TokenSerializer,
         models.OAuth2Application: serializers.OAuth2ApplicationSerializer,
@@ -504,6 +506,11 @@ def activity_stream_update(sender, instance, **kwargs):
         activity_entry.setting = conf_to_dict(instance)
         activity_entry.save()
 
+# &&&&&&
+    # if isinstance(obj1, WorkflowApprovalTemplate) or isinstance(obj2_actual, WorkflowApprovalTemplate):
+    #     continue
+
+
 
 def activity_stream_delete(sender, instance, **kwargs):
     if not activity_stream_enabled: