From 6d961d92c90ea68d8e1237f4b2b3b3a35875210d Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Fri, 17 Feb 2017 15:55:05 -0500 Subject: [PATCH] block system auditors from attaching notification templates --- awx/main/access.py | 7 +++++++ awx/main/tests/functional/test_rbac_notifications.py | 12 +++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/awx/main/access.py b/awx/main/access.py index 8abc5b7ff6..314d152f10 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1229,6 +1229,13 @@ class JobTemplateAccess(BaseAccess): "active_jobs": active_jobs}) return True + @check_superuser + def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False): + if isinstance(sub_obj, NotificationTemplate): + return self.check_related('organization', Organization, {}, obj=sub_obj, mandatory=True) + return super(JobTemplateAccess, self).can_attach( + obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check) + class JobAccess(BaseAccess): ''' diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py index 05f19740fe..80255da0d1 100644 --- a/awx/main/tests/functional/test_rbac_notifications.py +++ b/awx/main/tests/functional/test_rbac_notifications.py @@ -2,7 +2,8 @@ import pytest from awx.main.access import ( NotificationTemplateAccess, - NotificationAccess + NotificationAccess, + JobTemplateAccess ) @@ -119,6 +120,15 @@ def test_notification_access_system_admin(notification, admin): assert access.can_delete(notification) +@pytest.mark.django_db +def test_system_auditor_JT_attach(system_auditor, job_template, notification_template): + job_template.admin_role.members.add(system_auditor) + access = JobTemplateAccess(system_auditor) + assert not access.can_attach( + job_template, notification_template, 'notification_templates_success', + {'id': notification_template.id}) + + @pytest.mark.django_db def test_notification_access_org_admin(notification, org_admin): access = NotificationAccess(org_admin)