From 969fb21e982e68b7778472f0183e8142caceb92b Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Thu, 17 May 2018 12:46:40 -0400
Subject: [PATCH] restrict network_ui to inv admins

---
 awx/network_ui/consumers.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/awx/network_ui/consumers.py b/awx/network_ui/consumers.py
index 9cf8c72982..bd5dd90994 100644
--- a/awx/network_ui/consumers.py
+++ b/awx/network_ui/consumers.py
@@ -3,6 +3,7 @@ import channels
 from channels.auth import channel_session_user, channel_session_user_from_http
 from awx.network_ui.models import Topology, Device, Link, Client, Interface
 from awx.network_ui.models import TopologyInventory
+from awx.main.models.inventory import Inventory
 import urlparse
 from django.db.models import Q
 from collections import defaultdict
@@ -217,6 +218,18 @@ def ws_connect(message):
 
     data = urlparse.parse_qs(message.content['query_string'])
     inventory_id = parse_inventory_id(data)
+    try:
+        inventory = Inventory.objects.get(id=inventory_id)
+    except Inventory.DoesNotExist:
+        logger.error("User {} attempted connecting inventory_id {} that does not exist.".format(
+            message.user.id, inventory_id)
+        )
+        message.reply_channel.send({"close": True})
+    if message.user not in inventory.admin_role:
+        logger.warn("User {} attempted connecting to inventory_id {} without permission.".format(
+            message.user.id, inventory_id
+        ))
+        message.reply_channel.send({"close": True})
     topology_ids = list(TopologyInventory.objects.filter(inventory_id=inventory_id).values_list('pk', flat=True))
     topology_id = None
     if len(topology_ids) > 0: