External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-15 05:17:36 -02:30
Code Issues Packages Projects Releases Wiki Activity

fix bug in RoleTeamsList

Browse Source
This commit is contained in:
AlanCoding
2016-06-11 18:04:05 -04:00
parent 3e97bdae7f
commit 7f38227e11
2 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/api/views.py
View File

@@ -3786,6 +3786,11 @@ class RoleTeamsList(ListAPIView):
# XXX: Need to pull in can_attach and can_unattach kinda code from SubListCreateAttachDetachAPIView # XXX: Need to pull in can_attach and can_unattach kinda code from SubListCreateAttachDetachAPIView
role = Role.objects.get(pk=self.kwargs['pk']) role = Role.objects.get(pk=self.kwargs['pk'])
team = Team.objects.get(pk=sub_id) team = Team.objects.get(pk=sub_id)
from awx.main.access import RoleAccess
access = RoleAccess(request.user)
if access.can_attach(role, team, 'members', {"id": role.pk}, skip_sub_obj_read_check=False):
raise PermissionDenied()
if request.data.get('disassociate', None): if request.data.get('disassociate', None):
team.member_role.children.remove(role) team.member_role.children.remove(role)
else: else:

25
awx/main/tests/functional/test_rbac_role.py
View File

@@ -11,17 +11,36 @@ from django.contrib.auth.models import User
@pytest.mark.django_db @pytest.mark.django_db
def test_inventory_read_role_access_functional(rando, inventory, mocker, post): def test_user_role_access_view(rando, inventory, mocker, post):
# rando has read access for the inventory
inventory.read_role.members.add(rando) inventory.read_role.members.add(rando)
role_pk = inventory.admin_role.pk
mock_access = mocker.MagicMock(spec=RoleAccess, id=968) role_pk = inventory.admin_role.pk
mock_access = mocker.MagicMock(spec=RoleAccess, can_attach=mock.MagicMock(return_value=False))
with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access): with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
response = post(url=reverse('api:user_roles_list', args=(rando.pk,)), response = post(url=reverse('api:user_roles_list', args=(rando.pk,)),
data={'id': role_pk}, user=rando) data={'id': role_pk}, user=rando)
mock_access.can_attach.assert_called_once_with( mock_access.can_attach.assert_called_once_with(
inventory.admin_role, rando, 'members', {"id": role_pk}, inventory.admin_role, rando, 'members', {"id": role_pk},
skip_sub_obj_read_check=False) skip_sub_obj_read_check=False)
assert rando not in inventory.admin_role
@pytest.mark.django_db
def test_role_team_access_view(rando, team, inventory, mocker, post):
# rando is admin of the team
team.admin_role.members.add(rando)
# team has read_role for the inventory
team.member_role.children.add(inventory.read_role)
role_pk = inventory.admin_role.pk
mock_access = mocker.MagicMock(spec=RoleAccess)
with mocker.patch('awx.main.access.RoleAccess', return_value=mock_access):
response = post(url=reverse('api:role_teams_list', args=(role_pk,)),
data={'id': team.pk}, user=rando)
mock_access.can_attach.assert_called_once_with(
inventory.admin_role, team, 'members', {"id": role_pk},
skip_sub_obj_read_check=False)
assert team not in inventory.admin_role
@pytest.mark.django_db @pytest.mark.django_db
def test_inventory_read_role_user_can_access(rando, inventory): def test_inventory_read_role_user_can_access(rando, inventory):