Explain the RBAC model around inventory usage and adapt a view to match.

2026-01-11 10:00:01 -03:30 · 2013-03-25 17:36:51 -04:00 · 2013-03-25 17:36:51 -04:00 · be1bd56ca2
commit be1bd56ca2
parent 681b82d378
2 changed files with 26 additions and 4 deletions
--- a/lib/main/models/init.py
+++ b/lib/main/models/init.py
@ -431,12 +431,30 @@ class Permission(CommonModel):
    class Meta:
        app_label = 'main'

+    # permissions are granted to either a user or a team:
    user            = models.ForeignKey('auth.User', null=True, on_delete=SET_NULL, blank=True, related_name='permissions')
-    project         = models.ForeignKey('Project', null=True, on_delete=SET_NULL, blank=True, related_name='permissions')
    team            = models.ForeignKey('Team', null=True, on_delete=SET_NULL, blank=True, related_name='permissions')
-    inventory       = models.ForeignKey('Inventory', null=True, on_delete=SET_NULL, blank=True, related_name='permissions')
+
+    # to be used against a project or inventory (or a project and inventory in conjunction):
+    project         = models.ForeignKey('Project', null=True, on_delete=SET_NULL, blank=True, related_name='permissions')
+    inventory       = models.ForeignKey('Inventory', null=True, on_delete=SET_NULL, related_name='permissions')
+
+    # permission system explanation:
+    #
+    # for example, user A on inventory X has write permissions                 (PERM_INVENTORY_WRITE)
+    #              team C on inventory X has read permissions                  (PERM_INVENTORY_READ)
+    #              team C on inventory X and project Y has launch permissions  (PERM_INVENTORY_DEPLOY)
+    #              team C on inventory X and project Z has dry run permissions (PERM_INVENTORY_CHECK)   
+    #
+    # basically for launching, permissions can be awarded to the whole inventory source or just the inventory source
+    # in context of a given project.
+    #
+    # the project parameter is not used when dealing with READ, WRITE, or ADMIN permissions.
+
    permission_type = models.CharField(max_length=64, choices=PERMISSION_TYPE_CHOICES)

+
+
 # TODO: other job types (later)

 class LaunchJob(CommonModel):
--- a/lib/main/views.py
+++ b/lib/main/views.py
@ -266,11 +266,15 @@ class InventoryList(BaseList):
        if self.request.user.is_superuser:
            return base.all()
        admin_of  = base.filter(organization__admins__in = [ self.request.user ]).distinct()
-        has_perms = base.filter(
+        has_user_perms = base.filter(
            permissions__user__in = [ self.request.user ],
            permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
        ).distinct()
-        return admin_of | has_perms
+        has_team_perms = base.filter(
+            permissions__team__in = self.request.user.teams.all(),
+            permissions__permission_type__in = PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
+        ).distinct()
+        return admin_of | has_user_perms | has_team_perms

 class InventoryDetail(BaseDetail):