Merge pull request #5245 from AlanCoding/inv_src_cred

check related credential for inventory source
2026-01-13 02:50:02 -03:30 · 2017-02-08 13:47:24 -05:00 · 2017-02-08 13:47:24 -05:00 · b21513754d
commit b21513754d
parent 2c1145570b f60f1fdcc4
2 changed files with 10 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -755,7 +755,10 @@ class InventorySourceAccess(BaseAccess):
    def can_change(self, obj, data):
        # Checks for admin or change permission on group.
        if obj and obj.group:
-            return self.user.can_access(Group, 'change', obj.group, None)
+            return (
+                self.user.can_access(Group, 'change', obj.group, None) and
+                self.check_related('credential', Credential, data, obj=obj, role_field='use_role')
+            )
        # Can't change inventory sources attached to only the inventory, since
        # these are created automatically from the management command.
        else:
--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@ -8,6 +8,7 @@ from awx.main.models import (
 )
 from awx.main.access import (
    InventoryAccess,
+    InventorySourceAccess,
    HostAccess,
    InventoryUpdateAccess,
    CustomInventoryScriptAccess
@ -271,4 +272,8 @@ def test_host_access(organization, inventory, group, user, group_factory):
    assert inventory_admin_access.can_read(host) is False


-
+@pytest.mark.django_db
+def test_inventory_source_credential_check(rando, inventory_source, credential):
+    inventory_source.group.inventory.admin_role.members.add(rando)
+    access = InventorySourceAccess(rando)
+    assert not access.can_change(inventory_source, {'credential': credential})