Prevent assigning credential to user of other org (#15296)

Utilizes the `validate_role_assignment` callback from dab (see dab PR #490) to prevent granting credential access to a user of another organization. This logic will work for role_user_assignments and role_team_assignments endpoints. Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-05-16 05:47:38 -02:30 · 2024-07-02 17:05:22 -04:00
parent c4688d6298
commit 94e5795dfc
2 changed files with 36 additions and 0 deletions
--- a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
@@ -121,6 +121,28 @@ def test_workflow_creation_permissions(setup_managed_roles, organization, workfl
    assert access.can_add({'name': 'foo-flow', 'organization': organization.pk})


+@pytest.mark.django_db
+def test_assign_credential_to_user_of_another_org(setup_managed_roles, credential, admin_user, rando, org_admin, organization, post):
+    '''Test that a credential can only be assigned to a user in the same organization'''
+    # cannot assign credential to rando, as rando is not in the same org as the credential
+    rd = RoleDefinition.objects.get(name="Credential Admin")
+    credential.organization = organization
+    credential.save(update_fields=['organization'])
+    assert credential.organization not in Organization.access_qs(rando, 'change')
+    url = django_reverse('roleuserassignment-list')
+    resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400)
+    assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data)
+
+    # can assign credential to superuser
+    rando.is_superuser = True
+    rando.save()
+    post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
+
+    # can assign credential to org_admin
+    assert credential.organization in Organization.access_qs(org_admin, 'change')
+    post(url=url, data={"user": org_admin.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
+
+
@pytest.mark.django_db
@override_settings(ALLOW_LOCAL_RESOURCE_MANAGEMENT=False)
 def test_team_member_role_not_assignable(team, rando, post, admin_user, setup_managed_roles):