External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-14 11:20:39 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2098 from AlanCoding/u_no_copy

Browse Source 
Prohibit users without read_role from viewing copy endpoint
This commit is contained in:
Alan Rominger 2018-06-08 08:54:32 -04:00 committed by GitHub
commit bcd9c5dada
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
awx/api/generics.py
View File

@ -931,6 +931,8 @@ class CopyAPIView(GenericAPIView):
if get_request_version(request) < 2:
return self.v1_not_allowed()
obj = self.get_object()
if not request.user.can_access(obj.__class__, 'read', obj):
raise PermissionDenied()
create_kwargs = self._build_create_dict(obj)
for key in create_kwargs:
create_kwargs[key] = getattr(create_kwargs[key], 'pk', None) or create_kwargs[key]

3
awx/main/tests/functional/test_copy.py
View File

@ -170,7 +170,7 @@ def test_credential_copy(post, get, machine_credential, credentialtype_ssh, admi
@pytest.mark.django_db
def test_notification_template_copy(post, get, notification_template_with_encrypt,
organization, alice):
#notification_template_with_encrypt.admin_role.members.add(alice)
notification_template_with_encrypt.organization.auditor_role.members.add(alice)
assert get(
reverse(
'api:notification_template_copy', kwargs={'pk': notification_template_with_encrypt.pk}
@ -197,6 +197,7 @@ def test_notification_template_copy(post, get, notification_template_with_encryp
@pytest.mark.django_db
def test_inventory_script_copy(post, get, inventory_script, organization, alice):
inventory_script.organization.auditor_role.members.add(alice)
assert get(
reverse('api:inventory_script_copy', kwargs={'pk': inventory_script.pk}), alice, expect=200
).data['can_copy'] is False