From d302f134ac6a751b846a2f164f636ba355a7ba48 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Thu, 18 Jul 2019 11:14:57 -0400 Subject: [PATCH] Kill off all can_read access methods --- awx/main/access.py | 55 ------------------- awx/main/tests/functional/test_rbac_label.py | 2 +- .../functional/test_rbac_notifications.py | 2 +- 3 files changed, 2 insertions(+), 57 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index 78aaa2f5d2..fcd424a9d5 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -833,10 +833,6 @@ class InventoryAccess(BaseAccess): def filtered_queryset(self, allowed=None, ad_hoc=None): return self.model.accessible_objects(self.user, 'read_role') - @check_superuser - def can_read(self, obj): - return self.user in obj.read_role - @check_superuser def can_use(self, obj): return self.user in obj.use_role @@ -906,9 +902,6 @@ class HostAccess(BaseAccess): def filtered_queryset(self): return self.model.objects.filter(inventory__in=Inventory.accessible_pk_qs(self.user, 'read_role')) - def can_read(self, obj): - return obj and self.user in obj.inventory.read_role - def can_add(self, data): if not data: # So the browseable API will work return Inventory.accessible_objects(self.user, 'admin_role').exists() @@ -970,9 +963,6 @@ class GroupAccess(BaseAccess): def filtered_queryset(self): return Group.objects.filter(inventory__in=Inventory.accessible_pk_qs(self.user, 'read_role')) - def can_read(self, obj): - return obj and self.user in obj.inventory.read_role - def can_add(self, data): if not data or 'inventory' not in data: return False @@ -1016,12 +1006,6 @@ class InventorySourceAccess(NotificationAttachMixin, BaseAccess): def filtered_queryset(self): return self.model.objects.filter(inventory__in=Inventory.accessible_pk_qs(self.user, 'read_role')) - def can_read(self, obj): - if obj and obj.inventory: - return self.user.can_access(Inventory, 'read', obj.inventory) - else: - return False - def can_add(self, data): if not data or 'inventory' not in data: return Organization.accessible_objects(self.user, 'admin_role').exists() @@ -1114,9 +1098,6 @@ class CredentialTypeAccess(BaseAccess): model = CredentialType prefetch_related = ('created_by', 'modified_by',) - def can_read(self, obj): - return True - def can_use(self, obj): return True @@ -1158,10 +1139,6 @@ class CredentialAccess(BaseAccess): def filtered_queryset(self): return self.model.accessible_objects(self.user, 'read_role') - @check_superuser - def can_read(self, obj): - return self.user in obj.read_role - @check_superuser def can_add(self, data): if not data: # So the browseable API will work @@ -1224,10 +1201,6 @@ class CredentialInputSourceAccess(BaseAccess): return CredentialInputSource.objects.filter( target_credential__in=Credential.accessible_pk_qs(self.user, 'read_role')) - @check_superuser - def can_read(self, obj): - return self.user in obj.target_credential.read_role - @check_superuser def can_add(self, data): return ( @@ -1976,10 +1949,6 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess): def filtered_queryset(self): return self.model.accessible_objects(self.user, 'read_role') - @check_superuser - def can_read(self, obj): - return self.user in obj.read_role - @check_superuser def can_add(self, data): ''' @@ -2491,14 +2460,6 @@ class NotificationTemplateAccess(BaseAccess): Q(organization__in=self.user.auditor_of_organizations) ).distinct() - def can_read(self, obj): - if self.user.is_superuser or self.user.is_system_auditor: - return True - if obj.organization is not None: - if self.user in obj.organization.notification_admin_role or self.user in obj.organization.auditor_role: - return True - return False - @check_superuser def can_add(self, data): if not data: @@ -2538,9 +2499,6 @@ class NotificationAccess(BaseAccess): Q(notification_template__organization__in=self.user.auditor_of_organizations) ).distinct() - def can_read(self, obj): - return self.user.can_access(NotificationTemplate, 'read', obj.notification_template) - def can_delete(self, obj): return self.user.can_access(NotificationTemplate, 'delete', obj.notification_template) @@ -2555,10 +2513,6 @@ class LabelAccess(BaseAccess): def filtered_queryset(self): return self.model.objects.all() - @check_superuser - def can_read(self, obj): - return self.user in obj.organization.read_role - @check_superuser def can_add(self, data): if not data: # So the browseable API will work @@ -2716,15 +2670,6 @@ class RoleAccess(BaseAccess): result = result | super_qs return result - def can_read(self, obj): - if not obj: - return False - if self.user.is_superuser or self.user.is_system_auditor: - return True - - return Role.filter_visible_roles( - self.user, Role.objects.filter(pk=obj.id)).exists() - def can_add(self, obj, data): # Unsupported for now return False diff --git a/awx/main/tests/functional/test_rbac_label.py b/awx/main/tests/functional/test_rbac_label.py index a34a4bf27f..955894c06f 100644 --- a/awx/main/tests/functional/test_rbac_label.py +++ b/awx/main/tests/functional/test_rbac_label.py @@ -22,7 +22,7 @@ def test_label_get_queryset_su(label, user): @pytest.mark.django_db def test_label_access(label, user): access = LabelAccess(user('user', False)) - assert not access.can_read(label) + assert access.can_read(label) @pytest.mark.django_db diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py index e98cae3ade..bc1d7d9214 100644 --- a/awx/main/tests/functional/test_rbac_notifications.py +++ b/awx/main/tests/functional/test_rbac_notifications.py @@ -87,7 +87,7 @@ def test_notification_template_access_admin(role, organization_factory, notifica assert access.can_change(notification_template, {'organization': present_org.id}) assert access.can_delete(notification_template) - nf = notification_template_factory("test-orphaned") + nf = notification_template_factory("test-orphaned").notification_template assert not access.can_read(nf) assert not access.can_change(nf, None) assert not access.can_delete(nf)