External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-21 05:00:07 -03:30
Code Issues Packages Projects Releases Wiki Activity

Added ability to list users under an organization, model additions to support. Simplified queryset lookup for various models.

Browse Source
This commit is contained in:
Michael DeHaan
2013-03-23 15:34:16 -04:00
parent 284c495c11
commit 6a45aa2823
4 changed files with 36 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/main/base_views.py
View File

@@ -26,7 +26,10 @@ class BaseList(generics.ListCreateAPIView):
raise exceptions.NotImplementedError raise exceptions.NotImplementedError
def get_queryset(self): def get_queryset(self):
return self._get_queryset().filter(active=True) if self.__class__.model == User:
return self._get_queryset().filter(is_active=True)
else:
return self._get_queryset().filter(active=True)
class BaseSubList(BaseList): class BaseSubList(BaseList):

1
lib/main/rbac.py
View File

@@ -48,3 +48,4 @@ class CustomRbac(permissions.BasePermission):
if not view.item_permissions_check(request, obj): if not view.item_permissions_check(request, obj):
raise PermissionDenied() raise PermissionDenied()
return True return True

17
lib/main/tests.py
View File

@@ -224,15 +224,15 @@ class OrganizationsTest(BaseTest):
self.get(projects0_url, expect=401, auth=None) self.get(projects0_url, expect=401, auth=None)
self.get(projects0_url, expect=401, auth=self.get_invalid_credentials()) self.get(projects0_url, expect=401, auth=self.get_invalid_credentials())
# normal user is just a member of the first org, but can't see any projects yet # normal user is just a member of the first org, but can't see any projects under the org
projects0a = self.get(projects0_url, expect=200, auth=self.get_normal_credentials()) projects0a = self.get(projects0_url, expect=403, auth=self.get_normal_credentials())
self.assertEquals(projects0a['count'], 0)
# however in the second org, he's an admin and should see all of them # however in the second org, he's an admin and should see all of them
projects1a = self.get(projects1_url, expect=200, auth=self.get_normal_credentials()) projects1a = self.get(projects1_url, expect=200, auth=self.get_normal_credentials())
self.assertEquals(projects1a['count'], 5) self.assertEquals(projects1a['count'], 5)
projects1b = self.get(projects1_url, expect=200, auth=self.get_other_credentials())
self.assertEquals(projects1b['count'], 0) # but the non-admin cannot access the list of projects in the org. He should use /projects/ instead!
projects1b = self.get(projects1_url, expect=403, auth=self.get_other_credentials())
# superuser should be able to read anything # superuser should be able to read anything
projects9a = self.get(projects9_url, expect=200, auth=self.get_super_credentials()) projects9a = self.get(projects9_url, expect=200, auth=self.get_super_credentials())
@@ -240,7 +240,12 @@ class OrganizationsTest(BaseTest):
def test_get_item_subobjects_users(self): def test_get_item_subobjects_users(self):
pass
# see if we can list the users added to the organization
orgs = self.get(self.collection(), expect=200, auth=self.get_super_credentials())
org1_users_url = orgs['results'][1]['related']['users']
org1_users = self.get(org1_users_url, expect=200, auth=self.get_normal_credentials())
self.assertEquals(org1_users['count'], 1)
def test_get_item_subobjects_admins(self): def test_get_item_subobjects_admins(self):
pass pass

62
lib/main/views.py
View File

@@ -26,11 +26,13 @@ class OrganizationsList(BaseList):
# I am a member of the organization # I am a member of the organization
def _get_queryset(self): def _get_queryset(self):
''' I can see organizations when I am a superuser, or I am an admin or user in that organization '''
base = Organization.objects
if self.request.user.is_superuser: if self.request.user.is_superuser:
return Organization.objects.all() return base.all()
return Organization.objects.filter( return base.filter(
admins__in = [ self.request.user ] admins__in = [ self.request.user ]
).distinct() | Organization.objects.filter( ).distinct() | base.filter(
users__in = [ self.request.user ] users__in = [ self.request.user ]
).distinct() ).distinct()
@@ -52,19 +54,12 @@ class OrganizationsUsersList(BaseList):
serializer_class = UserSerializer serializer_class = UserSerializer
permission_classes = (CustomRbac,) permission_classes = (CustomRbac,)
# I can see the users in the organization if:
# I am a super user
# I am an admin of the organization
def _get_queryset(self): def _get_queryset(self):
# FIXME: ''' to list users in the organization, I must be a superuser or org admin '''
base = User.objects.all(organizations__pk__in = [ self.kwargs.get('pk') ]) organization = Organization.objects.get(pk=self.kwargs['pk'])
if self.request.user.is_superuser: if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
return base.all() raise PermissionDenied()
return base.objects.filter( return User.objects.filter(organizations__in = [ organization ])
organizations__organization__admins__in = [ self.request.user ]
).distinct()
class OrganizationsAdminsList(BaseList): class OrganizationsAdminsList(BaseList):
@@ -72,21 +67,12 @@ class OrganizationsAdminsList(BaseList):
serializer_class = UserSerializer serializer_class = UserSerializer
permission_classes = (CustomRbac,) permission_classes = (CustomRbac,)
# I can see the admins in the organization if:
# I am a super user
# I am an admin of the organization
def _get_queryset(self): def _get_queryset(self):
''' to list admins in the organization, I must be a superuser or org admin '''
# FIXME organization = Organization.objects.get(pk=self.kwargs['pk'])
base = User.objects.all(admin_of_organizations__pk__in = [ self.kwargs.get('pk') ]) if not self.request.user.is_superuser or self.request.user in organizations.admins.all():
raise PermissionDenied()
if self.request.user.is_superuser: return User.objects.all(admin_of_organizations__in = [ organization ])
return base.all()
return base.filter(
organizations__organization__admins__in = [ self.request.user ]
).distinct()
class OrganizationsProjectsList(BaseSubList): class OrganizationsProjectsList(BaseSubList):
@@ -97,20 +83,12 @@ class OrganizationsProjectsList(BaseSubList):
parent_model = Organization # for sub list parent_model = Organization # for sub list
relationship = 'projects' # " " relationship = 'projects' # " "
# I can see the projects from the organization if:
# I'm the superuser
# I am a an administrator of the organization
# I am a member of a team on the project
def _get_queryset(self): def _get_queryset(self):
base = Project.objects.filter(organizations__in = [ self.kwargs.get('pk') ]) ''' to list projects in the organization, I must be a superuser or org admin '''
if self.request.user.is_superuser: organization = Organization.objects.get(pk=self.kwargs['pk'])
return base.all() if not (self.request.user.is_superuser or self.request.user in organization.admins.all()):
return base.filter( raise PermissionDenied()
organizations__admins__in = [ self.request.user ] return Project.objects.filter(organizations__in = [ organization ])
).distinct() | base.filter(
teams__users__in = [ self.request.user ]
).distinct()
class OrganizationsTagsList(BaseList): class OrganizationsTagsList(BaseList):
# FIXME: guts & tests # FIXME: guts & tests