Merge pull request #4388 from AlanCoding/wfjt_copy_perm

Fix WFJT copy RBAC bugs
2026-01-15 11:50:42 -03:30 · 2016-12-12 16:17:02 -05:00 · 2016-12-12 16:17:02 -05:00 · b7f469baab
commit b7f469baab
parent e1942083e3 30b212b724
3 changed files with 19 additions and 4 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -2889,11 +2889,13 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, GenericAPIView):
    def post(self, request, *args, **kwargs):
        obj = self.get_object()
        if not request.user.can_access(self.model, 'copy', obj):
-            return PermissionDenied()
-        new_wfjt = obj.user_copy(request.user)
+            raise PermissionDenied()
+        new_obj = obj.user_copy(request.user)
+        if request.user not in new_obj.admin_role:
+            new_obj.admin_role.members.add(request.user)
        data = OrderedDict()
        data.update(WorkflowJobTemplateSerializer(
-            new_wfjt, context=self.get_serializer_context()).to_representation(new_wfjt))
+            new_obj, context=self.get_serializer_context()).to_representation(new_obj))
        return Response(data, status=status.HTTP_201_CREATED)


--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1550,7 +1550,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
                    wfjt_errors[node.id] = node_errors
            self.messages.update(wfjt_errors)

-        return self.check_related('organization', Organization, {}, obj=obj, mandatory=True)
+        return self.check_related('organization', Organization, {'reference_obj': obj}, mandatory=True)

    def can_start(self, obj, validate_license=True):
        if validate_license:
--- a/awx/main/tests/functional/test_rbac_workflow.py
+++ b/awx/main/tests/functional/test_rbac_workflow.py
@ -86,6 +86,19 @@ class TestWorkflowJobAccess:
        access = WorkflowJobAccess(rando)
        assert access.can_cancel(workflow_job)

+    def test_copy_permissions_org_admin(self, wfjt, org_admin, org_member):
+        admin_access = WorkflowJobTemplateAccess(org_admin)
+        assert admin_access.can_copy(wfjt)
+
+    def test_copy_permissions_user(self, wfjt, org_admin, org_member):
+        '''
+        Only org admins are able to add WFJTs, only org admins
+        are able to copy them
+        '''
+        wfjt.admin_role.members.add(org_member)
+        member_access = WorkflowJobTemplateAccess(org_member)
+        assert not member_access.can_copy(wfjt)
+
    def test_workflow_copy_warnings_inv(self, wfjt, rando, inventory):
        '''
        The user `rando` does not have access to the prompted inventory in a