From bbef9b896faab200f5e1971b00d2fcad7b7741b1 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Thu, 24 Mar 2016 13:27:50 -0400 Subject: [PATCH] Removed RoleAccess queryset capabilities; add explicit can_read implemenation We can probably make this into a query set if we're ever interested, but so far we just use can_read so better to have an explicit implemenation --- awx/main/access.py | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index a0d34d2607..7b7cb70660 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1332,7 +1332,11 @@ class TowerSettingsAccess(BaseAccess): class RoleAccess(BaseAccess): ''' - TODO: XXX: Needs implemenation + - I can see roles when + - I am a super user + - I am a member of that role + - The role is a descdendent role of a role I am a member of + - The role is an implicit role of an object that I can see a role of. ''' model = Role @@ -1340,11 +1344,26 @@ class RoleAccess(BaseAccess): def get_queryset(self): if self.user.is_superuser: return self.model.objects.all() - return Role.objects.filter(ancestors__in=self.user.roles.all()) + return Role.objects.none() def can_change(self, obj, data): return self.user.is_superuser + def can_read(self, obj): + if not obj: + return False + if self.user.is_superuser: + return True + + if obj.object_id: + sister_roles = Role.objects.filter( + content_type = obj.content_type, + object_id = obj.object_id + ) + else: + sister_roles = obj + return self.user.roles.filter(descendents__in=sister_roles).exists() + def can_add(self, obj, data): # Unsupported for now return False @@ -1367,6 +1386,9 @@ class RoleAccess(BaseAccess): return False + + + register_access(User, UserAccess) register_access(Organization, OrganizationAccess) register_access(Inventory, InventoryAccess)