From 7973a18103ab36eb9e06cf902cbb50702a52bc4c Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Fri, 16 Aug 2019 11:52:21 -0400 Subject: [PATCH] Switch to using a permission class for the webhook secret key view This view is now behaving as expected for superuser, org admin, JT admin, JT exec, and org member roles. --- awx/api/permissions.py | 5 +++++ awx/api/views/webhooks.py | 6 ++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/awx/api/permissions.py b/awx/api/permissions.py index 34ee7f76fb..ecaabc4b91 100644 --- a/awx/api/permissions.py +++ b/awx/api/permissions.py @@ -249,3 +249,8 @@ class InstanceGroupTowerPermission(ModelAccessPermission): if request.method == 'DELETE' and obj.name == "tower": return False return super(InstanceGroupTowerPermission, self).has_object_permission(request, view, obj) + + +class WebhookKeyPermission(permissions.BasePermission): + def has_object_permission(self, request, view, obj): + return request.user.can_access(view.model, 'admin', obj, request.data) diff --git a/awx/api/views/webhooks.py b/awx/api/views/webhooks.py index 7ba1831738..eeec1edc05 100644 --- a/awx/api/views/webhooks.py +++ b/awx/api/views/webhooks.py @@ -10,11 +10,13 @@ from rest_framework.response import Response from awx.api import serializers from awx.api.generics import APIView, GenericAPIView +from awx.api.permissions import WebhookKeyPermission from awx.main.models import JobTemplate, WorkflowJobTemplate class WebhookKeyView(GenericAPIView): serializer_class = serializers.EmptySerializer + permission_classes = (WebhookKeyPermission,) @property def model(self): @@ -32,10 +34,6 @@ class WebhookKeyView(GenericAPIView): # Provide a fallback do-nothing queryset so that get_object() has something to work with. return JobTemplate.objects.none() - def check_object_permissions(self, request, obj): - if not request.user.can_access(self.model, 'admin', obj, request.data): - raise PermissionDenied - def get(self, request, *args, **kwargs): obj = self.get_object()