prevent input source changes without use role on source cred

To update an input source, the user must have admin access to the target credential and at least use role on the source credential.
2026-03-10 22:19:28 -02:30 · 2019-03-27 14:18:26 -04:00
parent 8c107a5fa8
commit 7ca92e4c1e
2 changed files with 55 additions and 3 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1202,7 +1202,10 @@ class CredentialInputSourceAccess(BaseAccess):
        if self.can_add(data) is False:
            return False

-        return self.user in obj.target_credential.admin_role
+        return (
+            self.user in obj.target_credential.admin_role and
+            self.user in obj.source_credential.use_role
+        )

    @check_superuser
    def can_delete(self, obj):