External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-23 20:05:03 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3565 from wwitzel3/fix-3387

Browse Source 
only allow superusers to start a job from a SystemJobTemplate
This commit is contained in:
Wayne Witzel III
2016-09-23 10:16:49 -04:00
committed by GitHub
parent e0fb59eff1 a4adda1ae7
commit b1bf7332ed
2 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
awx/main/access.py
View File

@@ -1122,8 +1122,10 @@ class SystemJobTemplateAccess(BaseAccess):
model = SystemJobTemplate model = SystemJobTemplate
@check_superuser
def can_start(self, obj): def can_start(self, obj):
return self.can_read(obj) '''Only a superuser can start a job from a SystemJobTemplate'''
return False
class SystemJobAccess(BaseAccess): class SystemJobAccess(BaseAccess):
''' '''

19
awx/main/tests/unit/test_access.py
View File

@@ -8,8 +8,16 @@ from awx.main.access import (
BaseAccess, BaseAccess,
check_superuser, check_superuser,
JobTemplateAccess, JobTemplateAccess,
SystemJobTemplateAccess,
)
from awx.main.models import (
Credential,
Inventory,
Project,
Role,
Organization,
) )
from awx.main.models import Credential, Inventory, Project, Role, Organization
@pytest.fixture @pytest.fixture
@@ -110,3 +118,12 @@ def test_jt_can_add_bad_data(user_unit):
access = JobTemplateAccess(user_unit) access = JobTemplateAccess(user_unit)
assert not access.can_add({'asdf': 'asdf'}) assert not access.can_add({'asdf': 'asdf'})
def test_system_job_template_can_start(mocker):
user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False)
assert user.is_system_auditor
access = SystemJobTemplateAccess(user)
assert not access.can_start(None)
user.is_superuser = True
access = SystemJobTemplateAccess(user)
assert access.can_start(None)