enforce use_role access on both inventory and project when adding a JT

2026-01-14 03:10:42 -03:30 · 2016-05-24 12:37:44 -04:00 · 2016-05-24 12:37:44 -04:00 · a5bc62d7d4
commit a5bc62d7d4
parent a276b9271d
1 changed files with 4 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -773,7 +773,9 @@ class JobTemplateAccess(BaseAccess):
        inventory_pk = get_pk_from_dict(data, 'inventory')
        inventory = Inventory.objects.filter(id=inventory_pk)
        if not inventory.exists() and not data.get('ask_inventory_on_launch', False):
-            return False # Does this make sense?  Maybe should check read access
+            return False
+        if inventory.exists() and not self.user in inventory[0].use_role:
+            return False

        project_pk = get_pk_from_dict(data, 'project')
        if 'job_type' in data and data['job_type'] == PERM_INVENTORY_SCAN:
@ -786,10 +788,8 @@ class JobTemplateAccess(BaseAccess):
        # If the user has admin access to the project (as an org admin), should
        # be able to proceed without additional checks.
        project = get_object_or_400(Project, pk=project_pk)
-        if self.user in project.admin_role:
-            return True

-        return self.user in project.admin_role and self.user in inventory.read_role
+        return self.user in project.use_role

    def can_start(self, obj, validate_license=True):
        # Check license.