External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-14 01:34:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

Deletes are operational plus access control hooks for deletes.

Browse Source
This commit is contained in:
Michael DeHaan
2013-03-21 11:06:47 -04:00
parent 843164ba04
commit c189cfcddb
4 changed files with 46 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
lib/main/views.py
View File

@@ -25,7 +25,13 @@ class OrganizationsList(generics.ListCreateAPIView):
return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \
Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()
def permissions_check(self, request, obj):
def list_permissions_check(self, request, obj=None):
if request.method == 'GET':
# everybody can call get, but it's filtered
return True
if request.method == 'POST':
# superusers have already been cleared, so deny regular users
return False
raise exceptions.NotImplementedError
@@ -38,13 +44,13 @@ class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
#def pre_save(self, obj):
# obj.owner = self.request.user
def permissions_check(self, request, obj):
admin = request.user.application_user in obj.admins.all()
user = request.user.application_user in obj.users.all()
if request.method == 'GET':
return admin or user
if request.method == 'PUT':
return admin
def item_permissions_check(self, request, obj):
admin = request.user.application_user in obj.admins.all()
user = request.user.application_user in obj.users.all()
if request.method == 'GET':
return admin or user
if request.method == 'PUT':
return admin