incorporating RBAC into auto-population and for lookup modal lists

basically, you shouldn't be able to select a resource you don't have permission to use, either through autopopulation or selecting manually
2026-05-23 00:37:37 -02:30 · 2017-01-20 15:45:00 -08:00
parent fc45603c3b
commit 862a2d3c49
3 changed files with 23 additions and 11 deletions
--- a/awx/ui/client/src/shared/directives.js
+++ b/awx/ui/client/src/shared/directives.js
@@ -495,19 +495,26 @@ angular.module('AWDirectives', ['RestServices', 'Utilities', 'JobsHelper'])
            }

            function _doAutoPopulate() {
-                let query = '';
+                let query = '?role_level=use_role';

                if (attrs.watchbasepath !== undefined && scope[attrs.watchbasepath] !== undefined) {
                    basePath = scope[attrs.watchbasepath];
+                    query = '&role_level=use_role';
                }
                else {
                    basePath = GetBasePath(elm.attr('data-basePath')) || elm.attr('data-basePath');
                    switch(modelName) {
                        case 'credential':
-                            query = '?kind=ssh';
+                            query = '?kind=ssh&role_level=use_role';
                            break;
                        case 'network_credential':
-                            query = '?kind=net';
+                            query = '?kind=net&role_level=use_role';
+                            break;
+                        case 'organization':
+                            query = '?role_level=admin_role';
+                            break;
+                        case 'inventory_script':
+                            query = '?role_level=admin_role';
                            break;
                    }

@@ -517,12 +524,9 @@ angular.module('AWDirectives', ['RestServices', 'Utilities', 'JobsHelper'])
                Rest.get()
                .success(function (data) {
                    if (data.count === 1) {
-                        if(data.results[0].summary_fields.user_capabilities.edit === true){
                        scope[modelKey] = data.results[0].name;
                        scope[modelName] = data.results[0].id;
                    }
-
-                    }
                });
            }

--- a/awx/ui/client/src/shared/stateDefinitions.factory.js
+++ b/awx/ui/client/src/shared/stateDefinitions.factory.js
@@ -643,7 +643,10 @@ export default ['$injector', '$stateExtender', '$log', function($injector, $stat
                    },
                    params: {
                        [field.sourceModel + '_search']: {
-                            value: { page_size: '5' }
+                            value: {
+                                page_size: '5',
+                                role_level: 'use_role'
+                            }
                        }
                    },
                    ncyBreadcrumb: {
@@ -683,6 +686,11 @@ export default ['$injector', '$stateExtender', '$log', function($injector, $stat
                                    interpolator = $interpolate(list.basePath);
                                    path = interpolator({ $rootScope: $rootScope, $stateParams: $stateParams });
                                }
+                                // Need to delete the role_level here b/c organizations and inventory scripts
+                                // don't have a "use_role", only "admin_role" and "read_role"
+                                if(list.iterator === "organization" || list.iterator === "inventory_script"){
+                                    delete $stateParams[`${list.iterator}_search`].role_level;
+                                }
                                return qs.search(path, $stateParams[`${list.iterator}_search`]);
                            }
                        ]