From f60f1fdcc4d4b0886e0b90fa68721e8fce200f27 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Wed, 8 Feb 2017 13:16:02 -0500 Subject: [PATCH] check related credential for inventory source --- awx/main/access.py | 5 ++++- awx/main/tests/functional/test_rbac_inventory.py | 7 ++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index f2a00a6417..c18b4cfd6f 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -755,7 +755,10 @@ class InventorySourceAccess(BaseAccess): def can_change(self, obj, data): # Checks for admin or change permission on group. if obj and obj.group: - return self.user.can_access(Group, 'change', obj.group, None) + return ( + self.user.can_access(Group, 'change', obj.group, None) and + self.check_related('credential', Credential, data, obj=obj, role_field='use_role') + ) # Can't change inventory sources attached to only the inventory, since # these are created automatically from the management command. else: diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py index 46f3adaae7..b68003f049 100644 --- a/awx/main/tests/functional/test_rbac_inventory.py +++ b/awx/main/tests/functional/test_rbac_inventory.py @@ -8,6 +8,7 @@ from awx.main.models import ( ) from awx.main.access import ( InventoryAccess, + InventorySourceAccess, HostAccess, InventoryUpdateAccess, CustomInventoryScriptAccess @@ -271,4 +272,8 @@ def test_host_access(organization, inventory, group, user, group_factory): assert inventory_admin_access.can_read(host) is False - +@pytest.mark.django_db +def test_inventory_source_credential_check(rando, inventory_source, credential): + inventory_source.group.inventory.admin_role.members.add(rando) + access = InventorySourceAccess(rando) + assert not access.can_change(inventory_source, {'credential': credential})