RBAC and settings reset

* Initial super-user only rbac with notes for future user-settings
  support
* Clearing individual and all settings back to defaults

awx/api/views.py

@@ -2970,8 +2970,12 @@ class SettingsList(ListCreateAPIView):
     filter_backends = ()
 
     def get_queryset(self):
+        # TODO: docs
+        if not request.user.is_superuser:
+            # NOTE: Shortcutting the rbac class due to the merging of the settings manifest and the database
+            #       we'll need to extend this more in the future when we have user settings
+            return []
         SettingsTuple = namedtuple('Settings', ['key', 'description', 'category', 'value', 'value_type', 'user'])
-        # TODO: Filter by what the user can see
         all_defined_settings = {s.key: SettingsTuple(s.key,
                                                      s.description,
                                                      s.category,
@@ -2993,15 +2997,23 @@ class SettingsList(ListCreateAPIView):
                                                      None))
         return settings_actual
 
+    def delete(self, request, *args, **kwargs):
+        if not request.user.can_access(self.model, 'delete', None):
+            raise PermissionDenied()
+        TowerSettings.objects.all().delete()
+        return Response()
+
 class SettingsReset(APIView):
 
     view_name = "Reset a settings value"
     new_in_300 = True
 
     def post(self, request):
-        # TODO: RBAC
+        # NOTE: Extend more with user settings
-        setting_key = request.DATA.get('key', None)
+        if not request.user.can_access(TowerSettings, 'delete', None):
-        if setting_key is not None:
+            raise PermissionDenied()
+        settings_key = request.DATA.get('key', None)
+        if settings_key is not None:
             TowerSettings.objects.filter(key=settings_key).delete()
         return Response(status=status.HTTP_204_NO_CONTENT)
 

awx/main/access.py

@@ -1563,6 +1563,10 @@ class ActivityStreamAccess(BaseAccess):
         ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
         qs.filter(ad_hoc_command__in=ad_hoc_command_qs)
 
+        # TowerSettings Filter
+        settings_qs = self.user.get_queryset(TowerSettings)
+        qs.filter(tower_settings__in=settings_qs)
+
         # organization_qs = self.user.get_queryset(Organization)
         # user_qs = self.user.get_queryset(User)
         # inventory_qs = self.user.get_queryset(Inventory)
@@ -1633,6 +1637,30 @@ class CustomInventoryScriptAccess(BaseAccess):
             return True
         return False
 
+
+class TowerSettingsAccess(BaseAccess):
+    '''
+    - I can see settings when
+      - I am a super user
+    - I can edit settings when
+      - I am a super user
+    - I can clear settings when
+      - I am a super user
+    '''
+
+    model = TowerSettings
+
+    def get_queryset(self):
+        if self.user.is_superuser:
+            return self.model.objects.all()
+        return self.model.objects.none()
+
+    def can_change(self, obj, data):
+        return self.user.is_superuser
+
+    def can_delete(self, obj):
+        return self.user.is_superuser
+
 register_access(User, UserAccess)
 register_access(Organization, OrganizationAccess)
 register_access(Inventory, InventoryAccess)
@@ -1658,3 +1686,4 @@ register_access(UnifiedJobTemplate, UnifiedJobTemplateAccess)
 register_access(UnifiedJob, UnifiedJobAccess)
 register_access(ActivityStream, ActivityStreamAccess)
 register_access(CustomInventoryScript, CustomInventoryScriptAccess)
+register_access(TowerSettings, TowerSettingsAccess)