Create the RBAC access class for execution environments

2026-02-04 02:58:13 -03:30 · 2020-07-01 16:12:24 -04:00
parent 41613ff544
commit 9697999ddd
1 changed files with 48 additions and 3 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -29,9 +29,9 @@ from awx.main.utils import (
 )
 from awx.main.models import (
    ActivityStream, AdHocCommand, AdHocCommandEvent, Credential, CredentialType,
-    CredentialInputSource, CustomInventoryScript, Group, Host, Instance, InstanceGroup,
-    Inventory, InventorySource, InventoryUpdate, InventoryUpdateEvent, Job, JobEvent,
-    JobHostSummary, JobLaunchConfig, JobTemplate, Label, Notification,
+    CredentialInputSource, CustomInventoryScript, ExecutionEnvironment, Group, Host, Instance,
+    InstanceGroup, Inventory, InventorySource, InventoryUpdate, InventoryUpdateEvent, Job,
+    JobEvent, JobHostSummary, JobLaunchConfig, JobTemplate, Label, Notification,
    NotificationTemplate, Organization, Project, ProjectUpdate,
    ProjectUpdateEvent, Role, Schedule, SystemJob, SystemJobEvent,
    SystemJobTemplate, Team, UnifiedJob, UnifiedJobTemplate, WorkflowJob,
@@ -1308,6 +1308,51 @@ class TeamAccess(BaseAccess):
                                                    *args, **kwargs)


+class ExecutionEnvironmentAccess(BaseAccess):
+    """
+    I can see an execution environment when:
+     - I'm a superuser
+     - I'm a member of the organization
+     - it is a global ExecutionEnvironment
+    I can create/change an execution environment when:
+     - I'm a superuser
+     - I'm an admin for the organization(s)
+    """
+
+    model = ExecutionEnvironment
+
+    def filtered_queryset(self):
+        return ExecutionEnvironment.objects.filter(
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'admin_role')) |
+            Q(organization__isnull=True)
+        ).distinct()
+
+    @check_superuser
+    def can_add(self, data):
+        if not data:  # So the browseable API will work
+            return Organization.accessible_objects(self.user, 'admin_role').exists()
+        return self.check_related('organization', Organization, data)
+
+    @check_superuser
+    def can_change(self, obj, data):
+        if obj and obj.organization_id is None:
+            raise PermissionDenied
+        if self.user not in obj.organization.admin_role:
+            raise PermissionDenied
+        org_pk = get_pk_from_dict(data, 'organization')
+        if obj and obj.organization_id != org_pk:
+            # Prevent moving an EE to a different organization, unless a superuser or admin on both orgs.
+            if obj.organization_id is None or org_pk is None:
+                raise PermissionDenied
+            if self.user not in Organization.objects.get(id=org_pk).admin_role:
+                raise PermissionDenied
+
+        return True
+
+    def can_delete(self, obj):
+        return self.can_change(obj, None)
+
+
 class ProjectAccess(NotificationAttachMixin, BaseAccess):
    '''
    I can see projects when: