External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-15 11:50:42 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2045 from AlanCoding/can_see_all_teams

Browse Source 
Show org-admins all teams if ALL USERS setting enabled
This commit is contained in:
Alan Rominger 2018-06-05 08:39:59 -04:00 committed by GitHub
commit 88051cc9fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
awx/main/access.py
View File

@ -1114,6 +1114,9 @@ class TeamAccess(BaseAccess):
select_related = ('created_by', 'modified_by', 'organization',)
def filtered_queryset(self):
if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \
(self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()):
return self.model.objects.all()
return self.model.accessible_objects(self.user, 'read_role')
@check_superuser

3
awx/main/conf.py
View File

@ -38,7 +38,8 @@ register(
'ORG_ADMINS_CAN_SEE_ALL_USERS',
field_class=fields.BooleanField,
label=_('All Users Visible to Organization Admins'),
help_text=_('Controls whether any Organization Admin can view all users, even those not associated with their Organization.'),
help_text=_('Controls whether any Organization Admin can view all users and teams, '
'even those not associated with their Organization.'),
category=_('System'),
category_slug='system',
)

14
awx/main/tests/functional/test_rbac_team.py
View File

@ -1,7 +1,8 @@
import pytest
import mock
from awx.main.access import TeamAccess
from awx.main.models import Project
from awx.main.models import Project, Organization, Team
@pytest.mark.django_db
@ -116,3 +117,14 @@ def test_org_admin_team_access(organization, team, user, project):
team.member_role.children.add(project.use_role)
assert len(Project.accessible_objects(u, 'use_role')) == 1
@pytest.mark.django_db
@pytest.mark.parametrize('enabled', [True, False])
def test_org_admin_view_all_teams(org_admin, enabled):
access = TeamAccess(org_admin)
other_org = Organization.objects.create(name='other-org')
other_team = Team.objects.create(name='other-team', organization=other_org)
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled
assert access.can_read(other_team) is enabled