Force custom inventory script organization to match the organization of

an inventory source's inventory when creating/updating the inventory source
2026-01-15 20:00:43 -03:30 · 2014-12-16 13:00:33 -05:00 · 2014-12-16 13:00:33 -05:00 · 76a7d25131
commit 76a7d25131
parent b0d6628d46
2 changed files with 18 additions and 0 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -1020,6 +1020,11 @@ class InventorySourceOptionsSerializer(BaseSerializer):
        if 'source' in attrs and attrs.get('source', '') == 'custom':
            if src is None or src == '':
                raise serializers.ValidationError("source_script must be provided")
+            try:
+                if src.organization != self.object.inventory.organization:
+                    raise serializers.ValidationError("source_script does not belong to the same organization as the inventory")
+            except Exception, e:
+                raise serializers.ValidationError("source_script doesn't exist")
        return attrs

    def validate_source_vars(self, attrs, source):
--- a/awx/main/tests/inventory.py
+++ b/awx/main/tests/inventory.py
@ -1809,3 +1809,16 @@ class InventoryUpdatesTest(BaseTransactionTest):
        with self.current_user(self.super_django_user):
            response = self.put(custom_inv_src, inv_src_opts, expect=200)
        self.check_inventory_source(custom_group.inventory_source)
+
+        # This shouldn't work because we are trying to use a custom script from one organization with
+        # an inventory that belong to a different organization
+        other_org = self.make_organizations(self.super_django_user, 1)[0]
+        other_inv = other_org.inventories.create(name="A Different Org")
+        other_group = other_inv.groups.create(name='A Different Org Group')
+        other_inv_src = reverse('api:inventory_source_detail',
+                                args=(other_group.inventory_source.pk,))
+        other_inv_update = reverse('api:inventory_source_update_view',
+                                   args=(other_group.inventory_source.pk,))
+        other_inv_src_opts = {'source': 'custom', 'source_script': script_data['id']}
+        with self.current_user(self.super_django_user):
+            self.put(other_inv_src, other_inv_src_opts, expect=400)