External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-01 00:38:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3721 from AlanCoding/org_members_read_teams

Browse Source 
Use querset special case to let org members see teams

Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]
This commit is contained in:
softwarefactory-project-zuul[bot]
2019-04-17 12:24:49 +00:00
committed by GitHub
parent 4fd04e095f 1ddb675fa2
commit 66886fb57a
3 changed files with 20 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/main/access.py
View File

@@ -1245,6 +1245,7 @@ class TeamAccess(BaseAccess):
- I'm a superuser. - I'm a superuser.
- I'm an admin of the team - I'm an admin of the team
- I'm a member of that team. - I'm a member of that team.
- I'm a member of the team's organization
I can create/change a team when: I can create/change a team when:
- I'm a superuser. - I'm a superuser.
- I'm an admin for the team - I'm an admin for the team
@@ -1257,7 +1258,10 @@ class TeamAccess(BaseAccess):
if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \ if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \
(self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()): (self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()):
return self.model.objects.all() return self.model.objects.all()
return self.model.accessible_objects(self.user, 'read_role') return self.model.objects.filter(
Q(organization=Organization.accessible_pk_qs(self.user, 'member_role')) |
Q(pk__in=self.model.accessible_pk_qs(self.user, 'read_role'))
)
@check_superuser @check_superuser
def can_add(self, data): def can_add(self, data):

7
awx/main/tests/functional/test_projects.py
View File

@@ -175,13 +175,6 @@ def test_team_project_list(get, team_project_list):
assert get(reverse('api:user_projects_list', kwargs={'pk':admin.pk,}), alice).data['count'] == 2 assert get(reverse('api:user_projects_list', kwargs={'pk':admin.pk,}), alice).data['count'] == 2
@pytest.mark.django_db
def test_team_project_list_fail1(get, team_project_list):
objects = team_project_list
res = get(reverse('api:team_projects_list', kwargs={'pk':objects.teams.team2.pk,}), objects.users.alice)
assert res.status_code == 403
@pytest.mark.parametrize("u,expected_status_code", [ @pytest.mark.parametrize("u,expected_status_code", [
('rando', 403), ('rando', 403),
('org_member', 403), ('org_member', 403),

15
awx/main/tests/functional/test_rbac_team.py
View File

@@ -152,3 +152,18 @@ def test_org_admin_view_all_teams(org_admin, enabled):
with mock.patch('awx.main.access.settings') as settings_mock: with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled
assert access.can_read(other_team) is enabled assert access.can_read(other_team) is enabled
@pytest.mark.django_db
def test_team_member_read(rando, organization, team):
assert team.organization == organization
organization.member_role.members.add(rando)
assert TeamAccess(rando).can_read(team)
assert team in TeamAccess(rando).get_queryset()
@pytest.mark.django_db
def test_team_list_no_duplicate_entries(rando, organization, team):
organization.member_role.members.add(rando)
team.read_role.members.add(rando)
assert list(TeamAccess(rando).get_queryset()) == [team]