External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-04 10:11:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1514 from wwitzel3/rbac-bug-1477

Browse Source 
RBAC JobTemplate / Job Access Updates
This commit is contained in:
Wayne Witzel III
2016-04-13 14:50:17 -04:00
parent fe3f01a6fc c2e9237b14
commit 90f9e5185a
1 changed files with 17 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
awx/main/access.py
View File

@@ -772,26 +772,14 @@ class JobTemplateAccess(BaseAccess):
# Super users can start any job # Super users can start any job
if self.user.is_superuser: if self.user.is_superuser:
return True return True
# Check to make sure both the inventory and project exist
if obj.inventory is None:
return False
if obj.job_type == PERM_INVENTORY_SCAN: if obj.job_type == PERM_INVENTORY_SCAN:
if obj.project is None and obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}): # Scan job with default project, must have JT execute or be org admin
return True if obj.project is None and obj.inventory:
if not obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}): return (obj.accessible_by(self.user, {'execute': True}) or
return False obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS))
if obj.project is None:
return False
# Given explicit execute access to this JobTemplate return obj.accessible_by(self.user, {'execute':True})
if obj.accessible_by(self.user, {'execute':True}):
return True
# If the user has admin access to the project they can start a job
if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
return True
return obj.inventory.accessible_by(self.user, {'read':True}) and obj.project.accessible_by(self.user, {'read':True})
def can_change(self, obj, data): def can_change(self, obj, data):
data_for_change = data data_for_change = data
@@ -867,14 +855,18 @@ class JobAccess(BaseAccess):
# A super user can relaunch a job # A super user can relaunch a job
if self.user.is_superuser: if self.user.is_superuser:
return True return True
# If a user can launch the job template then they can relaunch a job from that # If a user can launch the job template then they can relaunch a job from that
# job template # job template
has_perm = False if obj.job_template is not None:
if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}): return obj.job_template.accessible_by(self.user, {'execute': True})
has_perm = True
dep_access_inventory = obj.inventory.accessible_by(self.user, {'read':True}) inventory_access = obj.inventory.accessible_by(self.user, {'use':True})
dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True})
return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm org_access = obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS)
project_access = obj.project is None or obj.project.accessible_by(self.user, ALL_PERMISSIONS)
return inventory_access and (org_access or project_access)
def can_cancel(self, obj): def can_cancel(self, obj):
return self.can_read(obj) and obj.can_cancel return self.can_read(obj) and obj.can_cancel