Removed RoleAccess queryset capabilities; add explicit can_read implemenation

We can probably make this into a query set if we're ever interested, but so far we just use can_read so better to have an explicit implemenation
2026-02-21 13:10:11 -03:30 · 2016-03-24 13:27:50 -04:00
parent 2a446d206e
commit bbef9b896f
1 changed files with 24 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1332,7 +1332,11 @@ class TowerSettingsAccess(BaseAccess):
 class RoleAccess(BaseAccess):
    '''
-    TODO: XXX: Needs implemenation
+    - I can see roles when
      - I am a super user
      - I am a member of that role
      - The role is a descdendent role of a role I am a member of
      - The role is an implicit role of an object that I can see a role of.
    '''
    model = Role
@@ -1340,11 +1344,26 @@ class RoleAccess(BaseAccess):
    def get_queryset(self):
        if self.user.is_superuser:
            return self.model.objects.all()
-        return Role.objects.filter(ancestors__in=self.user.roles.all())
+        return Role.objects.none()
    def can_change(self, obj, data):
        return self.user.is_superuser
    def can_read(self, obj):
        if not obj:
            return False
        if self.user.is_superuser:
            return True
        if obj.object_id:
            sister_roles = Role.objects.filter(
                content_type = obj.content_type,
                object_id = obj.object_id
            )
        else:
            sister_roles = obj
        return self.user.roles.filter(descendents__in=sister_roles).exists()
    def can_add(self, obj, data):
        # Unsupported for now
        return False
@@ -1367,6 +1386,9 @@ class RoleAccess(BaseAccess):
        return False
 register_access(User, UserAccess)
 register_access(Organization, OrganizationAccess)
 register_access(Inventory, InventoryAccess)