Merge pull request #1314 from AlanCoding/fix_rescheduling

Correct permission check for job rescheduling
2026-01-13 11:00:03 -03:30 · 2018-02-22 16:04:04 -05:00 · 2018-02-22 16:04:04 -05:00 · ad8822bcfc
commit ad8822bcfc
parent c35c01e7b1 992d7831b1
2 changed files with 31 additions and 5 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -4125,8 +4125,6 @@ class JobCreateSchedule(RetrieveAPIView):
                            status=status.HTTP_400_BAD_REQUEST)

        config = obj.launch_config
-        if not request.user.can_access(JobLaunchConfig, 'add', {'reference_obj': obj}):
-            raise PermissionDenied()

        # Make up a name for the schedule, guarentee that it is unique
        name = 'Auto-generated schedule from job {}'.format(obj.id)
@ -4139,7 +4137,7 @@ class JobCreateSchedule(RetrieveAPIView):
                alt_name = '{} - number {}'.format(name, idx)
            name = alt_name

-        schedule = Schedule.objects.create(
+        schedule_data = dict(
            name=name,
            unified_job_template=obj.unified_job_template,
            enabled=False,
@ -4147,11 +4145,18 @@ class JobCreateSchedule(RetrieveAPIView):
            extra_data=config.extra_data,
            survey_passwords=config.survey_passwords,
            inventory=config.inventory,
-            char_prompts=config.char_prompts
+            char_prompts=config.char_prompts,
+            credentials=set(config.credentials.all())
        )
-        schedule.credentials.add(*config.credentials.all())
+        if not request.user.can_access(Schedule, 'add', schedule_data):
+            raise PermissionDenied()
+
+        creds_list = schedule_data.pop('credentials')
+        schedule = Schedule.objects.create(**schedule_data)
+        schedule.credentials.add(*creds_list)

        data = ScheduleSerializer(schedule, context=self.get_serializer_context()).data
+        data.serializer.instance = None  # hack to avoid permissions.py assuming this is Job model
        headers = {'Location': schedule.get_absolute_url(request=request)}
        return Response(data, status=status.HTTP_201_CREATED, headers=headers)

--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@ -275,3 +275,24 @@ class TestJobTemplateSchedules:
        schedule = Schedule.objects.create(unified_job_template=job_template, rrule=self.rrule, created_by=rando)
        access = ScheduleAccess(rando)
        assert access.can_change(schedule, {'rrule': self.rrule2})
+
+    def test_prompts_access_checked(self, job_template, inventory, credential, rando):
+        job_template.execute_role.members.add(rando)
+        access = ScheduleAccess(rando)
+        data = dict(
+            unified_job_template=job_template,
+            rrule=self.rrule,
+            created_by=rando,
+            inventory=inventory,
+            credentials=[credential]
+        )
+        with mock.patch('awx.main.access.JobLaunchConfigAccess.can_add') as mock_add:
+            mock_add.return_value = True
+            assert access.can_add(data)
+            mock_add.assert_called_once_with(data)
+        data.pop('credentials')
+        schedule = Schedule.objects.create(**data)
+        with mock.patch('awx.main.access.JobLaunchConfigAccess.can_change') as mock_change:
+            mock_change.return_value = True
+            assert access.can_change(schedule, {'inventory': 42})
+            mock_change.assert_called_once_with(schedule, {'inventory': 42})