External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-24 09:07:45 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2004 from AlanCoding/checkin_access

Browse Source 
Allow managing credentials with external user management
This commit is contained in:
Alan Rominger
2018-06-12 07:47:16 -04:00
committed by GitHub
parent 951142d510 f692f0c70a
commit a8c31a51e9
2 changed files with 20 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/main/access.py
View File

@@ -532,8 +532,8 @@ class UserAccess(BaseAccess):
return not self.user_membership_roles(u).exists() return not self.user_membership_roles(u).exists()
@check_superuser @check_superuser
def can_admin(self, obj, data, allow_orphans=False): def can_admin(self, obj, data, allow_orphans=False, check_setting=True):
if not settings.MANAGE_ORGANIZATION_AUTH: if check_setting and (not settings.MANAGE_ORGANIZATION_AUTH):
return False return False
if obj.is_superuser or obj.is_system_auditor: if obj.is_superuser or obj.is_system_auditor:
# must be superuser to admin users with system roles # must be superuser to admin users with system roles
@@ -1066,7 +1066,7 @@ class CredentialAccess(BaseAccess):
return True return True
if data and data.get('user', None): if data and data.get('user', None):
user_obj = get_object_from_data('user', User, data) user_obj = get_object_from_data('user', User, data)
return check_user_access(self.user, User, 'change', user_obj, None) return bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False))
if data and data.get('team', None): if data and data.get('team', None):
team_obj = get_object_from_data('team', Team, data) team_obj = get_object_from_data('team', Team, data)
return check_user_access(self.user, Team, 'change', team_obj, None) return check_user_access(self.user, Team, 'change', team_obj, None)

17
awx/main/tests/functional/test_rbac_credential.py
View File

@@ -1,5 +1,7 @@
import pytest import pytest
import mock
from awx.main.access import CredentialAccess from awx.main.access import CredentialAccess
from awx.main.models.credential import Credential from awx.main.models.credential import Credential
from django.contrib.auth.models import User from django.contrib.auth.models import User
@@ -22,6 +24,21 @@ def test_credential_access_superuser():
assert access.can_delete(credential) assert access.can_delete(credential)
@pytest.mark.django_db
def test_credential_access_self(rando):
access = CredentialAccess(rando)
assert access.can_add({'user': rando.pk})
@pytest.mark.django_db
@pytest.mark.parametrize('ext_auth', [True, False])
def test_credential_access_org_user(org_member, org_admin, ext_auth):
access = CredentialAccess(org_admin)
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
assert access.can_add({'user': org_member.pk})
@pytest.mark.django_db @pytest.mark.django_db
def test_credential_access_auditor(credential, organization_factory): def test_credential_access_auditor(credential, organization_factory):
objects = organization_factory("org_cred_auditor", objects = organization_factory("org_cred_auditor",