External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-14 12:57:40 -02:30
Code Issues Packages Projects Releases Wiki Activity

Proof of concept hacks for RolePermission elimination

Browse Source
This commit is contained in:
Akita Noek
2016-04-15 10:03:50 -04:00
parent 872ce2f9e8
commit 6d34ca9d22
5 changed files with 17 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awx/main/fields.py
View File

@@ -183,6 +183,7 @@ class ImplicitRoleField(models.ForeignKey):
role = Role_.objects.create( role = Role_.objects.create(
created=now(), created=now(),
modified=now(), modified=now(),
role_field=self.name,
name=self.role_name, name=self.role_name,
description=self.role_description description=self.role_description
) )
@@ -233,6 +234,7 @@ class ImplicitRoleField(models.ForeignKey):
else: else:
role = Role_.objects.create(created=now(), role = Role_.objects.create(created=now(),
modified=now(), modified=now(),
role_field=path,
singleton_name=singleton_name, singleton_name=singleton_name,
name=singleton_name, name=singleton_name,
description=singleton_name) description=singleton_name)

26
awx/main/models/mixins.py
View File

@@ -31,29 +31,25 @@ class ResourceMixin(models.Model):
performant to resolve the resource in question then call performant to resolve the resource in question then call
`myresource.get_permissions(user)`. `myresource.get_permissions(user)`.
''' '''
return ResourceMixin._accessible_objects(cls, accessor, permissions) return ResourceMixin._accessible_objects(cls, accessor, role_name)
@staticmethod @staticmethod
def _accessible_objects(cls, accessor, permissions): def _accessible_objects(cls, accessor, role_name):
if type(accessor) == User: if type(accessor) == User:
qs = cls.objects.filter( kwargs = {}
role_permissions__role__ancestors__members=accessor kwargs[role_name + '__ancestors__members'] = accessor
) qs = cls.objects.filter(**kwargs)
elif type(accessor) == Role: elif type(accessor) == Role:
qs = cls.objects.filter( kwargs = {}
role_permissions__role__ancestors=accessor kwargs[role_name + '__ancestors'] = accessor
) qs = cls.objects.filter(**kwargs)
else: else:
accessor_type = ContentType.objects.get_for_model(accessor) accessor_type = ContentType.objects.get_for_model(accessor)
roles = Role.objects.filter(content_type__pk=accessor_type.id, roles = Role.objects.filter(content_type__pk=accessor_type.id,
object_id=accessor.id) object_id=accessor.id)
qs = cls.objects.filter( kwargs = {}
role_permissions__role__ancestors__in=roles kwargs[role_name + '__ancestors__in'] = roles
) qs = cls.objects.filter(**kwargs)
for perm in permissions:
qs = qs.annotate(**{'max_' + perm: Max('role_permissions__' + perm)})
qs = qs.filter(**{'max_' + perm: int(permissions[perm])})
#return cls.objects.filter(resource__in=qs) #return cls.objects.filter(resource__in=qs)
return qs return qs

1
awx/main/models/rbac.py
View File

@@ -77,6 +77,7 @@ class Role(CommonModelNameNotUnique):
db_table = 'main_rbac_roles' db_table = 'main_rbac_roles'
singleton_name = models.TextField(null=True, default=None, db_index=True, unique=True) singleton_name = models.TextField(null=True, default=None, db_index=True, unique=True)
role_field = models.TextField(null=False, default=None)
parents = models.ManyToManyField('Role', related_name='children') parents = models.ManyToManyField('Role', related_name='children')
implicit_parents = models.TextField(null=False, default='[]') implicit_parents = models.TextField(null=False, default='[]')
ancestors = models.ManyToManyField('Role', related_name='descendents') # auto-generated by `rebuild_role_ancestor_list` ancestors = models.ManyToManyField('Role', related_name='descendents') # auto-generated by `rebuild_role_ancestor_list`

8
awx/main/signals.py
View File

@@ -131,16 +131,10 @@ def create_user_role(instance, **kwargs):
except Role.DoesNotExist: except Role.DoesNotExist:
role = Role.objects.create( role = Role.objects.create(
name = 'Owner', name = 'Owner',
role_field='owner_role',
content_object = instance, content_object = instance,
) )
role.members.add(instance) role.members.add(instance)
RolePermission.objects.create(
role = role,
resource = instance,
auto_generated = True,
create=1, read=1, write=1, delete=1, update=1,
execute=1, scm_update=1, use=1,
)
def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs): def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs):
content_type = ContentType.objects.get_for_model(Organization) content_type = ContentType.objects.get_for_model(Organization)

4
awx/main/tests/functional/test_rbac_core.py
View File

@@ -9,8 +9,8 @@ from awx.main.models import (
@pytest.mark.django_db @pytest.mark.django_db
def test_auto_inheritance_by_children(organization, alice): def test_auto_inheritance_by_children(organization, alice):
A = Role.objects.create(name='A') A = Role.objects.create(name='A', role_field='')
B = Role.objects.create(name='B') B = Role.objects.create(name='B', role_field='')
A.members.add(alice) A.members.add(alice)
assert alice not in organization.admin_role assert alice not in organization.admin_role