From 39f26fe5767c92dd9eb5e06bb25e32d1d6c2d961 Mon Sep 17 00:00:00 2001 From: Jeff Bradberry Date: Mon, 3 May 2021 10:25:18 -0400 Subject: [PATCH] Revert the code that prevents sysadmins from changing managed EEs ref #10078 --- awx/api/views/__init__.py | 2 -- awx/main/access.py | 5 +---- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 6f7238d8ca..f0c288602a 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -685,7 +685,6 @@ class TeamAccessList(ResourceAccessList): class ExecutionEnvironmentList(ListCreateAPIView): - always_allow_superuser = False model = models.ExecutionEnvironment serializer_class = serializers.ExecutionEnvironmentSerializer swagger_topic = "Execution Environments" @@ -693,7 +692,6 @@ class ExecutionEnvironmentList(ListCreateAPIView): class ExecutionEnvironmentDetail(RetrieveUpdateDestroyAPIView): - always_allow_superuser = False model = models.ExecutionEnvironment serializer_class = serializers.ExecutionEnvironmentSerializer swagger_topic = "Execution Environments" diff --git a/awx/main/access.py b/awx/main/access.py index 0647b598d2..5fd06b105f 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1356,11 +1356,8 @@ class ExecutionEnvironmentAccess(BaseAccess): return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists() return self.check_related('organization', Organization, data, mandatory=True, role_field='execution_environment_admin_role') + @check_superuser def can_change(self, obj, data): - if obj.managed_by_tower: - raise PermissionDenied - if self.user.is_superuser: - return True if obj and obj.organization_id is None: raise PermissionDenied if self.user not in obj.organization.execution_environment_admin_role: