External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-18 13:11:19 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4529 from wenottingham/the-pirates-are-bringing-r-bac

Browse Source 
Fix display of indirect access permissions.

Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
This commit is contained in:
softwarefactory-project-zuul[bot] 2019-09-05 17:40:44 +00:00 committed by GitHub
commit b4759de30d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 41 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
awx/ui/client/src/access/rbac-role-column/roleList.directive.js
View File

@ -21,9 +21,38 @@ export default
}))
.concat(scope.deleteTarget.summary_fields
.indirect_access.map((i) => {
i.role.explicit = false;
return i.role;
// Indirect access roles describe the role on another object that
// gives the user access to this object, so we must introspect them.
//
// If the user has indirect admin access, they are system admin, org admin,
// or a <resource_type>_admin. Return the role name directly.
// Similarly, if they are an auditor, return that instead of a read role.
if (i.descendant_roles.includes('admin_role') || i.role.name.includes('Auditor')) {
i.role.explicit = false;
i.role.parent_role_name = i.role.name;
return i.role;
}
// Handle more complex cases
// This includes roles team<->team roles, and roles an org admin
// inherits from teams in their organization.
//
// For these, we want to describe the actual permissions for the
// object we are retrieving the access_list for, so replace
// the role name with the descendant_roles.
let indirect_roles = [];
i.descendant_roles.forEach((descendant_role) => {
let r = _.cloneDeep(i.role);
r.parent_role_name = r.name;
r.name = descendant_role.replace('_role','');
r.explicit = false;
// Do not include the read role unless it is the only descendant role.
if (r.name !== 'read' || i.descendant_roles.length === 1) {
indirect_roles.push(r);
}
});
return indirect_roles;
}))
.flat()
.filter((role) => {
return Boolean(attrs.teamRoleList) === Boolean(role.team_id);
})

11
awx/ui/client/src/access/rbac-role-column/roleList.partial.html
View File

@ -18,7 +18,16 @@
<div class="RoleList-tag"
ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
'RoleList-tag--team': entry.team_id}"
ng-if="!entry.team_id">
ng-if="!entry.team_id && (entry.explicit || !entry.resource_type)">
<span class="RoleList-name">{{ entry.name }}</span>
</div>
<div class="RoleList-tag"
ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
'RoleList-tag--team': entry.team_id}"
aw-tool-tip='<div>Via {{ entry.parent_role_name | sanitize }} role on {{ entry.resource_type | sanitize }} {{entry.resource_name | sanitize}}</div>' aw-tip-placement='bottom'
ng-if="!entry.team_id && !entry.explicit && entry.resource_type">
<span class="RoleList-name">{{ entry.name }}</span>
<i class="fa fa-sitemap"></i>
</div>
</div>