From 9a44dc4ba0427b6ed5ec030945a9d12950623663 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Thu, 13 Oct 2016 15:18:29 -0400 Subject: [PATCH 1/2] add can_read method to JobAccess --- awx/main/access.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index c70e6331c9..e11ed4a13a 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1168,6 +1168,22 @@ class JobAccess(BaseAccess): Q(inventory__organization__in=org_access_qs) | Q(project__organization__in=org_access_qs)).distinct() + def org_access(self, obj): + """ + Via the organization of a related resource, user has a claim to org_admin access of this job + """ + if obj.inventory and obj.inventory.organization and self.user in obj.inventory.organization.admin_role: + return True + elif obj.project and obj.project.organization and self.user in obj.project.organization.admin_role: + return True + return False + + @check_superuser + def can_read(self, obj): + if obj.job_template and self.user in obj.job_template.read_role: + return True + return self.org_access(obj) + def can_add(self, data): if not data: # So the browseable API will work return True @@ -1196,12 +1212,7 @@ class JobAccess(BaseAccess): @check_superuser def can_delete(self, obj): - if obj.inventory is not None and self.user in obj.inventory.organization.admin_role: - return True - if (obj.project is not None and obj.project.organization is not None and - self.user in obj.project.organization.admin_role): - return True - return False + return self.org_access(obj) def can_start(self, obj, validate_license=True): if validate_license: From 5e4a4b972230859c458ebd9be482782e4019d822 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Fri, 14 Oct 2016 15:52:41 -0400 Subject: [PATCH 2/2] refactor Job can_read to allow for org admins and auditors to read --- awx/main/access.py | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index e11ed4a13a..875ab33b7b 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1168,21 +1168,28 @@ class JobAccess(BaseAccess): Q(inventory__organization__in=org_access_qs) | Q(project__organization__in=org_access_qs)).distinct() - def org_access(self, obj): - """ - Via the organization of a related resource, user has a claim to org_admin access of this job - """ - if obj.inventory and obj.inventory.organization and self.user in obj.inventory.organization.admin_role: - return True - elif obj.project and obj.project.organization and self.user in obj.project.organization.admin_role: - return True + def related_orgs(self, obj): + orgs = [] + if obj.inventory and obj.inventory.organization: + orgs.append(obj.inventory.organization) + if obj.project and obj.project.organization and obj.project.organization not in orgs: + orgs.append(obj.project.organization) + return orgs + + def org_access(self, obj, role_types=['admin_role']): + orgs = self.related_orgs(obj) + for org in orgs: + for role_type in role_types: + role = getattr(org, role_type) + if self.user in role: + return True return False @check_superuser def can_read(self, obj): if obj.job_template and self.user in obj.job_template.read_role: return True - return self.org_access(obj) + return self.org_access(obj, role_types=['auditor_role', 'admin_role']) def can_add(self, data): if not data: # So the browseable API will work