From 747a2283d66baaa026ef73a678646c40ade8d435 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Wed, 14 Aug 2019 14:50:50 -0400 Subject: [PATCH] Attempt to get the RBAC right on the webhook secret key view --- awx/api/views/webhooks.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/awx/api/views/webhooks.py b/awx/api/views/webhooks.py index 66c8e51ced..7ba1831738 100644 --- a/awx/api/views/webhooks.py +++ b/awx/api/views/webhooks.py @@ -23,13 +23,18 @@ class WebhookKeyView(GenericAPIView): 'workflow_job_templates': WorkflowJobTemplate, } model = qs_models.get(self.kwargs['model_kwarg']) - if model is None: - raise PermissionDenied - return model def get_queryset(self): - return self.request.user.get_queryset(self.model) + model = self.model + if model: + return self.request.user.get_queryset(model) + # Provide a fallback do-nothing queryset so that get_object() has something to work with. + return JobTemplate.objects.none() + + def check_object_permissions(self, request, obj): + if not request.user.can_access(self.model, 'admin', obj, request.data): + raise PermissionDenied def get(self, request, *args, **kwargs): obj = self.get_object()