Merge pull request #13831 from slemrmartin/analytics-api-permissions

Analytics API: Permissions for System Auditor
2026-01-11 10:00:01 -03:30 · 2023-04-12 10:37:26 -04:00 · 2023-04-12 10:37:26 -04:00 · 9b390a624f
commit 9b390a624f
parent b80d0ae85b 0046ce5e69
2 changed files with 17 additions and 4 deletions
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@ -25,6 +25,7 @@ __all__ = [
    'UserPermission',
    'IsSystemAdminOrAuditor',
    'WorkflowApprovalPermission',
+    'AnalyticsPermission',
 ]


@ -250,3 +251,16 @@ class IsSystemAdminOrAuditor(permissions.BasePermission):
 class WebhookKeyPermission(permissions.BasePermission):
    def has_object_permission(self, request, view, obj):
        return request.user.can_access(view.model, 'admin', obj, request.data)
+
+
+class AnalyticsPermission(permissions.BasePermission):
+    """
+    Allows GET/POST/OPTIONS to system admins and system auditors.
+    """
+
+    def has_permission(self, request, view):
+        if not (request.user and request.user.is_authenticated):
+            return False
+        if request.method in ["GET", "POST", "OPTIONS"]:
+            return request.user.is_superuser or request.user.is_system_auditor
+        return request.user.is_superuser
--- a/awx/api/views/analytics.py
+++ b/awx/api/views/analytics.py
@ -7,10 +7,9 @@ from django.utils.translation import gettext_lazy as _
 from django.utils import translation

 from awx.api.generics import APIView, Response
-from awx.api.permissions import IsSystemAdminOrAuditor
+from awx.api.permissions import AnalyticsPermission
 from awx.api.versioning import reverse
 from awx.main.utils import get_awx_version
-from rest_framework.permissions import AllowAny
 from rest_framework import status

 from collections import OrderedDict
@ -43,7 +42,7 @@ class GetNotAllowedMixin(object):


 class AnalyticsRootView(APIView):
-    permission_classes = (AllowAny,)
+    permission_classes = (AnalyticsPermission,)
    name = _('Automation Analytics')
    swagger_topic = 'Automation Analytics'

@ -99,7 +98,7 @@ class AnalyticsGenericView(APIView):
        return Response(response.json(), status=response.status_code)
    """

-    permission_classes = (IsSystemAdminOrAuditor,)
+    permission_classes = (AnalyticsPermission,)

    @staticmethod
    def _request_headers(request):