implement user capabilities in access_list

2026-01-18 05:01:19 -03:30 · 2016-08-30 15:42:52 -04:00 · 2016-08-30 15:42:52 -04:00 · 766a7420a1
commit 766a7420a1
parent a32dd5b535
2 changed files with 11 additions and 2 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -1567,6 +1567,8 @@ class ResourceAccessListElementSerializer(UserSerializer):
                role_dict['resource_name'] = role.content_object.name
                role_dict['resource_type'] = role.content_type.name
                role_dict['related'] = reverse_gfk(role.content_object)
+                role_dict['user_capabilities'] = {'unattach': requesting_user.can_access(
+                    Role, 'unattach', role, user, 'members', data={}, skip_sub_obj_read_check=False)}
            except:
                pass
            return { 'role': role_dict, 'descendant_roles': get_roles_on_resource(obj, role)}
@ -1585,6 +1587,8 @@ class ResourceAccessListElementSerializer(UserSerializer):
                    role_dict['resource_name'] = role.content_object.name
                    role_dict['resource_type'] = role.content_type.name
                    role_dict['related'] = reverse_gfk(role.content_object)
+                    role_dict['user_capabilities'] = {'unattach': requesting_user.can_access(
+                        Role, 'unattach', role, team_role, 'parents', data={}, skip_sub_obj_read_check=False)}
                except:
                    pass
                ret.append({ 'role': role_dict, 'descendant_roles': get_roles_on_resource(obj, team_role)})
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1751,8 +1751,13 @@ class RoleAccess(BaseAccess):

    @check_superuser
    def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
-        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents']:
-            if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
+        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents', 'parents']:
+            # If we are unattaching a team Role, check the Team read access
+            if relationship == 'parents':
+                sub_obj_resource = sub_obj.content_object
+            else:
+                sub_obj_resource = sub_obj
+            if not check_user_access(self.user, sub_obj_resource.__class__, 'read', sub_obj_resource):
                return False

        if isinstance(obj.content_object, ResourceMixin) and \