From 7867a58c007ed6de961f629ada40f860c8b78530 Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Tue, 15 Dec 2015 12:12:54 -0500 Subject: [PATCH] RBAC and settings reset * Initial super-user only rbac with notes for future user-settings support * Clearing individual and all settings back to defaults --- awx/api/views.py | 20 ++++++++++++++++---- awx/main/access.py | 29 +++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 4 deletions(-) diff --git a/awx/api/views.py b/awx/api/views.py index 505783a292..dd07c57c0a 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -2970,8 +2970,12 @@ class SettingsList(ListCreateAPIView): filter_backends = () def get_queryset(self): + # TODO: docs + if not request.user.is_superuser: + # NOTE: Shortcutting the rbac class due to the merging of the settings manifest and the database + # we'll need to extend this more in the future when we have user settings + return [] SettingsTuple = namedtuple('Settings', ['key', 'description', 'category', 'value', 'value_type', 'user']) - # TODO: Filter by what the user can see all_defined_settings = {s.key: SettingsTuple(s.key, s.description, s.category, @@ -2993,15 +2997,23 @@ class SettingsList(ListCreateAPIView): None)) return settings_actual + def delete(self, request, *args, **kwargs): + if not request.user.can_access(self.model, 'delete', None): + raise PermissionDenied() + TowerSettings.objects.all().delete() + return Response() + class SettingsReset(APIView): view_name = "Reset a settings value" new_in_300 = True def post(self, request): - # TODO: RBAC - setting_key = request.DATA.get('key', None) - if setting_key is not None: + # NOTE: Extend more with user settings + if not request.user.can_access(TowerSettings, 'delete', None): + raise PermissionDenied() + settings_key = request.DATA.get('key', None) + if settings_key is not None: TowerSettings.objects.filter(key=settings_key).delete() return Response(status=status.HTTP_204_NO_CONTENT) diff --git a/awx/main/access.py b/awx/main/access.py index 4af42b28f2..c043855873 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1563,6 +1563,10 @@ class ActivityStreamAccess(BaseAccess): ad_hoc_command_qs = self.user.get_queryset(AdHocCommand) qs.filter(ad_hoc_command__in=ad_hoc_command_qs) + # TowerSettings Filter + settings_qs = self.user.get_queryset(TowerSettings) + qs.filter(tower_settings__in=settings_qs) + # organization_qs = self.user.get_queryset(Organization) # user_qs = self.user.get_queryset(User) # inventory_qs = self.user.get_queryset(Inventory) @@ -1633,6 +1637,30 @@ class CustomInventoryScriptAccess(BaseAccess): return True return False + +class TowerSettingsAccess(BaseAccess): + ''' + - I can see settings when + - I am a super user + - I can edit settings when + - I am a super user + - I can clear settings when + - I am a super user + ''' + + model = TowerSettings + + def get_queryset(self): + if self.user.is_superuser: + return self.model.objects.all() + return self.model.objects.none() + + def can_change(self, obj, data): + return self.user.is_superuser + + def can_delete(self, obj): + return self.user.is_superuser + register_access(User, UserAccess) register_access(Organization, OrganizationAccess) register_access(Inventory, InventoryAccess) @@ -1658,3 +1686,4 @@ register_access(UnifiedJobTemplate, UnifiedJobTemplateAccess) register_access(UnifiedJob, UnifiedJobAccess) register_access(ActivityStream, ActivityStreamAccess) register_access(CustomInventoryScript, CustomInventoryScriptAccess) +register_access(TowerSettings, TowerSettingsAccess)