External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-15 02:00:01 -03:30
Code Issues Packages Projects Releases Wiki Activity

Check that the object we are attaching is readable by us for extra security on attaching resources.

Browse Source
This commit is contained in:
Michael DeHaan
2013-04-19 15:25:19 -04:00
parent 0ed275c3c8
commit 86de2c8846
3 changed files with 39 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/main/tests/jobs.py
View File

@@ -69,6 +69,7 @@ class JobsTest(BaseTest):
)
self.team.users.add(self.other_django_user)
self.team.users.add(self.other2_django_user)
self.project = Project.objects.create(
name = 'testProject',
@@ -115,7 +116,14 @@ class JobsTest(BaseTest):
self.credential = Credential.objects.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user
created_by = self.normal_django_user,
user = self.other_django_user
)
self.credential2 = Credential.objects.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
team = self.team,
)
self.organization.projects.add(self.project)
@@ -169,11 +177,12 @@ class JobsTest(BaseTest):
# nobody user can't even run check mode
rec['name'] = 'job-foo4'
self.post('/api/v1/job_templates/', rec, expect=403, auth=self.get_nobody_credentials())
rec['credential'] = self.credential2.pk
posted = self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_other2_credentials())
rec['name'] = 'job-foo5'
rec['job_type'] = PERM_INVENTORY_DEPLOY
self.post('/api/v1/job_templates/', rec, expect=403, auth=self.get_nobody_credentials())
self.post('/api/v1/job_templates/', rec, expect=403, auth=self.get_other2_credentials())
self.post('/api/v1/job_templates/', rec, expect=201, auth=self.get_other2_credentials())
url = posted['url']
# verify we can also get the job template record