Merge pull request #3565 from wwitzel3/fix-3387

only allow superusers to start a job from a SystemJobTemplate
2026-01-14 11:20:39 -03:30 · 2016-09-23 10:16:49 -04:00 · 2016-09-23 10:16:49 -04:00 · b1bf7332ed
commit b1bf7332ed
parent e0fb59eff1 a4adda1ae7
2 changed files with 21 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1122,8 +1122,10 @@ class SystemJobTemplateAccess(BaseAccess):

    model = SystemJobTemplate

+    @check_superuser
    def can_start(self, obj):
-        return self.can_read(obj)
+        '''Only a superuser can start a job from a SystemJobTemplate'''
+        return False

 class SystemJobAccess(BaseAccess):
    '''
--- a/awx/main/tests/unit/test_access.py
+++ b/awx/main/tests/unit/test_access.py
@ -8,8 +8,16 @@ from awx.main.access import (
    BaseAccess,
    check_superuser,
    JobTemplateAccess,
+    SystemJobTemplateAccess,
+)
+
+from awx.main.models import (
+    Credential,
+    Inventory,
+    Project,
+    Role,
+    Organization,
 )
-from awx.main.models import Credential, Inventory, Project, Role, Organization


@pytest.fixture
@ -110,3 +118,12 @@ def test_jt_can_add_bad_data(user_unit):
    access = JobTemplateAccess(user_unit)
    assert not access.can_add({'asdf': 'asdf'})

+def test_system_job_template_can_start(mocker):
+    user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False)
+    assert user.is_system_auditor
+    access = SystemJobTemplateAccess(user)
+    assert not access.can_start(None)
+
+    user.is_superuser = True
+    access = SystemJobTemplateAccess(user)
+    assert access.can_start(None)