Merge pull request #3932 from AlanCoding/rbac_related_fixes

Quick RBAC check_related fixes
2026-01-26 16:11:30 -03:30 · 2016-11-10 12:20:42 -05:00 · 2016-11-10 12:20:42 -05:00 · 75c364930f
commit 75c364930f
parent 1a3d452a2d 2c9cf0f6d6
2 changed files with 14 additions and 5 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -921,7 +921,7 @@ class ProjectAccess(BaseAccess):

    @check_superuser
    def can_change(self, obj, data):
-        if not self.check_related('organization', Organization, data):
+        if not self.check_related('organization', Organization, data, obj=obj):
            return False
        return self.user in obj.admin_role

@ -1523,7 +1523,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
        if 'survey_enabled' in data and data['survey_enabled']:
            self.check_license(feature='surveys')

-        return self.check_related('organization', Organization, data)
+        return self.check_related('organization', Organization, data, mandatory=True)

    def can_start(self, obj, validate_license=True):
        if validate_license:
@ -1974,7 +1974,8 @@ class LabelAccess(BaseAccess):
    def can_change(self, obj, data):
        if self.can_add(data) is False:
            return False
-        return self.check_related('organization', Organization, data, obj=obj, mandatory=True)
+
+        return self.user in obj.organization.admin_role

    def can_delete(self, obj):
        return self.can_change(obj, None)
@ -2070,11 +2071,11 @@ class CustomInventoryScriptAccess(BaseAccess):
    def can_add(self, data):
        if not data:  # So the browseable API will work
            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return self.check_related('organization', Organization, data)
+        return self.check_related('organization', Organization, data, mandatory=True)

    @check_superuser
    def can_admin(self, obj, data=None):
-        return self.check_related('organization', Organization, data, obj=obj)
+        return self.check_related('organization', Organization, data, obj=obj) and self.user in obj.admin_role

    @check_superuser
    def can_change(self, obj, data):
--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@ -39,6 +39,14 @@ def test_modify_inv_script_foreign_org_admin(org_admin, organization, organizati
    access = CustomInventoryScriptAccess(org_admin)
    assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})

+@pytest.mark.django_db
+def test_org_member_inventory_script_permissions(org_member, organization):
+    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', organization=organization)
+    access = CustomInventoryScriptAccess(org_member)
+    assert access.can_read(custom_inv)
+    assert not access.can_delete(custom_inv)
+    assert not access.can_change(custom_inv, {'name': 'ed-test'})
+
@pytest.mark.django_db
 def test_inventory_admin_user(inventory, permissions, user):
    u = user('admin', False)