External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-24 12:25:01 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4388 from AlanCoding/wfjt_copy_perm

Browse Source 
Fix WFJT copy RBAC bugs
This commit is contained in:
Alan Rominger
2016-12-12 16:17:02 -05:00
committed by GitHub
parent e1942083e3 30b212b724
commit b7f469baab
3 changed files with 19 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
awx/api/views.py
View File

@@ -2889,11 +2889,13 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, GenericAPIView):
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
obj = self.get_object() obj = self.get_object()
if not request.user.can_access(self.model, 'copy', obj): if not request.user.can_access(self.model, 'copy', obj):
return PermissionDenied() raise PermissionDenied()
new_wfjt = obj.user_copy(request.user) new_obj = obj.user_copy(request.user)
if request.user not in new_obj.admin_role:
new_obj.admin_role.members.add(request.user)
data = OrderedDict() data = OrderedDict()
data.update(WorkflowJobTemplateSerializer( data.update(WorkflowJobTemplateSerializer(
new_wfjt, context=self.get_serializer_context()).to_representation(new_wfjt)) new_obj, context=self.get_serializer_context()).to_representation(new_obj))
return Response(data, status=status.HTTP_201_CREATED) return Response(data, status=status.HTTP_201_CREATED)

2
awx/main/access.py
View File

@@ -1550,7 +1550,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
wfjt_errors[node.id] = node_errors wfjt_errors[node.id] = node_errors
self.messages.update(wfjt_errors) self.messages.update(wfjt_errors)
return self.check_related('organization', Organization, {}, obj=obj, mandatory=True) return self.check_related('organization', Organization, {'reference_obj': obj}, mandatory=True)
def can_start(self, obj, validate_license=True): def can_start(self, obj, validate_license=True):
if validate_license: if validate_license:

13
awx/main/tests/functional/test_rbac_workflow.py
View File

@@ -86,6 +86,19 @@ class TestWorkflowJobAccess:
access = WorkflowJobAccess(rando) access = WorkflowJobAccess(rando)
assert access.can_cancel(workflow_job) assert access.can_cancel(workflow_job)
def test_copy_permissions_org_admin(self, wfjt, org_admin, org_member):
admin_access = WorkflowJobTemplateAccess(org_admin)
assert admin_access.can_copy(wfjt)
def test_copy_permissions_user(self, wfjt, org_admin, org_member):
'''
Only org admins are able to add WFJTs, only org admins
are able to copy them
'''
wfjt.admin_role.members.add(org_member)
member_access = WorkflowJobTemplateAccess(org_member)
assert not member_access.can_copy(wfjt)
def test_workflow_copy_warnings_inv(self, wfjt, rando, inventory): def test_workflow_copy_warnings_inv(self, wfjt, rando, inventory):
''' '''
The user `rando` does not have access to the prompted inventory in a The user `rando` does not have access to the prompted inventory in a