External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-26 07:26:03 -03:30
Code Issues Packages Projects Releases Wiki Activity

Only allow superusers to create other superusers.

Browse Source
This commit is contained in:
Luke Sneeringer
2014-10-22 15:05:05 -05:00
parent 14af6c579c
commit b7b92cb995
2 changed files with 35 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
awx/api/views.py
View File

@@ -428,6 +428,33 @@ class DashboardInventoryGraphView(APIView):
return Response(dashboard_data) return Response(dashboard_data)
class UserCreateAPIMixin(object):
"""A mixin subclass that ensures that only a superuser is able to create
another superuser.
"""
def post(self, request, pk=None):
self._superuser_sanity_check(request)
return super(UserCreateAPIMixin, self).post(request, pk=pk)
# def put(self, request, pk=None):
# self._superuser_sanity_check(request)
# return super(UserCreateAPIMixin, self).put(request, pk=pk)
# def patch(self, request, pk=None):
# self._superuser_sanity_check(request)
# return super(UserCreateAPIMixin, self).patch(request, pk=pk)
def _superuser_sanity_check(self, request):
"""Ensure that if a non-superuser tries to create a superuser,
that the request is rejected.
"""
if not request.user.is_superuser:
if request.DATA.get('is_superuser', False):
raise PermissionDenied('Only superusers may create '
'other superusers.')
class ScheduleList(ListAPIView): class ScheduleList(ListAPIView):
view_name = "Schedules" view_name = "Schedules"
@@ -489,14 +516,14 @@ class OrganizationInventoriesList(SubListAPIView):
parent_model = Organization parent_model = Organization
relationship = 'inventories' relationship = 'inventories'
class OrganizationUsersList(SubListCreateAPIView): class OrganizationUsersList(UserCreateAPIMixin, SubListCreateAPIView):
model = User model = User
serializer_class = UserSerializer serializer_class = UserSerializer
parent_model = Organization parent_model = Organization
relationship = 'users' relationship = 'users'
class OrganizationAdminsList(SubListCreateAPIView): class OrganizationAdminsList(UserCreateAPIMixin, SubListCreateAPIView):
model = User model = User
serializer_class = UserSerializer serializer_class = UserSerializer
@@ -536,7 +563,7 @@ class TeamDetail(RetrieveUpdateDestroyAPIView):
model = Team model = Team
serializer_class = TeamSerializer serializer_class = TeamSerializer
class TeamUsersList(SubListCreateAPIView): class TeamUsersList(UserCreateAPIMixin, SubListCreateAPIView):
model = User model = User
serializer_class = UserSerializer serializer_class = UserSerializer
@@ -731,7 +758,7 @@ class ProjectUpdateCancel(GenericAPIView):
else: else:
return self.http_method_not_allowed(request, *args, **kwargs) return self.http_method_not_allowed(request, *args, **kwargs)
class UserList(ListCreateAPIView): class UserList(UserCreateAPIMixin, ListCreateAPIView):
model = User model = User
serializer_class = UserSerializer serializer_class = UserSerializer

5
awx/main/tests/projects.py
View File

@@ -415,7 +415,10 @@ class ProjectsTest(BaseTransactionTest):
all_users = self.get(reverse('api:user_list'), expect=200, auth=self.get_normal_credentials()) all_users = self.get(reverse('api:user_list'), expect=200, auth=self.get_normal_credentials())
for x in all_users['results']: for x in all_users['results']:
self.post(team_users, data=x, expect=403, auth=self.get_nobody_credentials()) self.post(team_users, data=x, expect=403, auth=self.get_nobody_credentials())
self.post(team_users, data=x, expect=204, auth=self.get_normal_credentials()) self.post(team_users, data=dict(x, is_superuser=False),
expect=204, auth=self.get_normal_credentials())
self.post(team_users, data=dict(x, is_superuser=True),
expect=403, auth=self.get_normal_credentials())
self.assertEqual(Team.objects.get(pk=team.pk).users.count(), 4) self.assertEqual(Team.objects.get(pk=team.pk).users.count(), 4)