mirror of
https://github.com/ansible/awx.git
synced 2026-03-21 10:57:36 -02:30
prohibit relaunching workflow jobs from other users
This commit is contained in:
AlanCoding
@@ -1927,12 +1927,22 @@ class WorkflowJobAccess(BaseAccess):
|
|||||||
if not wfjt:
|
if not wfjt:
|
||||||
return False
|
return False
|
||||||
|
|
||||||
# execute permission to WFJT is mandatory for any relaunch
|
# If job was launched by another user, it could have survey passwords
|
||||||
if self.user not in wfjt.execute_role:
|
if obj.created_by_id != self.user.pk:
|
||||||
return False
|
# Obtain prompts used to start original job
|
||||||
|
JobLaunchConfig = obj._meta.get_field('launch_config').related_model
|
||||||
|
try:
|
||||||
|
config = JobLaunchConfig.objects.get(job=obj)
|
||||||
|
except JobLaunchConfig.DoesNotExist:
|
||||||
|
config = None
|
||||||
|
|
||||||
# user's WFJT access doesn't guarentee permission to launch, introspect nodes
|
if config is None or config.prompts_dict():
|
||||||
return self.can_recreate(obj)
|
if self.save_messages:
|
||||||
|
self.messages['detail'] = _('Job was launched with prompts provided by another user.')
|
||||||
|
return False
|
||||||
|
|
||||||
|
# execute permission to WFJT is mandatory for any relaunch
|
||||||
|
return (self.user in wfjt.execute_role)
|
||||||
|
|
||||||
def can_recreate(self, obj):
|
def can_recreate(self, obj):
|
||||||
node_qs = obj.workflow_job_nodes.all().prefetch_related('inventory', 'credentials', 'unified_job_template')
|
node_qs = obj.workflow_job_nodes.all().prefetch_related('inventory', 'credentials', 'unified_job_template')
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ from awx.main.access import (
|
|||||||
# WorkflowJobNodeAccess
|
# WorkflowJobNodeAccess
|
||||||
)
|
)
|
||||||
|
|
||||||
from awx.main.models import InventorySource
|
from awx.main.models import InventorySource, JobLaunchConfig
|
||||||
|
|
||||||
|
|
||||||
@pytest.fixture
|
@pytest.fixture
|
||||||
@@ -135,6 +135,20 @@ class TestWorkflowJobAccess:
|
|||||||
access = WorkflowJobAccess(rando)
|
access = WorkflowJobAccess(rando)
|
||||||
assert access.can_cancel(workflow_job)
|
assert access.can_cancel(workflow_job)
|
||||||
|
|
||||||
|
def test_execute_role_relaunch(self, wfjt, workflow_job, rando):
|
||||||
|
wfjt.execute_role.members.add(rando)
|
||||||
|
JobLaunchConfig.objects.create(job=workflow_job)
|
||||||
|
assert WorkflowJobAccess(rando).can_start(workflow_job)
|
||||||
|
|
||||||
|
def test_cannot_relaunch_friends_job(self, wfjt, rando, alice):
|
||||||
|
workflow_job = wfjt.workflow_jobs.create(name='foo', created_by=alice)
|
||||||
|
JobLaunchConfig.objects.create(
|
||||||
|
job=workflow_job,
|
||||||
|
extra_data={'foo': 'fooforyou'}
|
||||||
|
)
|
||||||
|
wfjt.execute_role.members.add(alice)
|
||||||
|
assert not WorkflowJobAccess(rando).can_start(workflow_job)
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.django_db
|
@pytest.mark.django_db
|
||||||
class TestWFJTCopyAccess:
|
class TestWFJTCopyAccess:
|
||||||
|
|||||||
Reference in New Issue
Block a user