External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-21 19:07:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

Deletes are operational plus access control hooks for deletes.

Browse Source
This commit is contained in:
Michael DeHaan
2013-03-21 11:06:47 -04:00
parent 843164ba04
commit c189cfcddb
4 changed files with 46 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
lib/main/rbac.py
View File

@@ -28,7 +28,13 @@ class CustomRbac(permissions.BasePermission):
if not self._common_user_check(request): if not self._common_user_check(request):
return False return False
if obj is None: if obj is None:
# filtering happens in the view if getattr(view, 'list_permissions_check', None):
if request.user.is_superuser:
return True
if not view.list_permissions_check(request):
raise PermissionDenied()
elif not getattr(view, 'item_permissions_check', None):
raise Exception("internal error, list_permissions_check or item_permissions_check must be defined")
return True return True
else: else:
# haven't tested around these confines yet # haven't tested around these confines yet
@@ -39,6 +45,6 @@ class CustomRbac(permissions.BasePermission):
return True return True
if not self._common_user_check(request): if not self._common_user_check(request):
return False return False
if not view.permissions_check(request, obj): if not view.item_permissions_check(request, obj):
raise PermissionDenied() raise PermissionDenied()
return True return True

4
lib/main/serializers.py
View File

@@ -2,6 +2,10 @@ from django.contrib.auth.models import User as DjangoUser
from lib.main.models import User, Organization, Project from lib.main.models import User, Organization, Project
from rest_framework import serializers, pagination from rest_framework import serializers, pagination
# FIXME: add all fields here
# FIXME: make proper fields read only
# FIXME: add URLs for sub resources like /organizations/2/projects/
class OrganizationSerializer(serializers.ModelSerializer): class OrganizationSerializer(serializers.ModelSerializer):
url = serializers.CharField(source='get_absolute_url', read_only=True) url = serializers.CharField(source='get_absolute_url', read_only=True)

21
lib/main/tests.py
View File

@@ -185,7 +185,23 @@ class OrganizationsTest(BaseTest):
pass pass
def test_post_item(self): def test_post_item(self):
pass
new_org = dict(name='magic test org', description='8675309')
# need to be a valid user
self.post(self.collection(), new_org, expect=401, auth=None)
self.post(self.collection(), new_org, expect=401, auth=self.get_invalid_credentials())
# only super users can create organizations
self.post(self.collection(), new_org, expect=403, auth=self.get_normal_credentials())
self.post(self.collection(), new_org, expect=403, auth=self.get_other_credentials())
data1 = self.post(self.collection(), new_org, expect=201, auth=self.get_super_credentials())
# duplicate post results in 400
data2 = self.post(self.collection(), new_org, expect=400, auth=self.get_super_credentials())
# look at what we got back from the post, make sure we added an org
self.assertTrue(data1['url'].endswith("/11/"))
def test_post_item_subobjects_projects(self): def test_post_item_subobjects_projects(self):
pass pass
@@ -222,6 +238,9 @@ class OrganizationsTest(BaseTest):
# super user can also put even though they aren't added to the org users or admins list # super user can also put even though they aren't added to the org users or admins list
self.put(urls[1], new_data1, expect=200, auth=self.get_super_credentials()) self.put(urls[1], new_data1, expect=200, auth=self.get_super_credentials())
# make sure posting to this URL is not supported
self.post(urls[1], new_data1, expect=405, auth=self.get_super_credentials())
def test_put_item_subobjects_projects(self): def test_put_item_subobjects_projects(self):
pass pass

22
lib/main/views.py
View File

@@ -25,7 +25,13 @@ class OrganizationsList(generics.ListCreateAPIView):
return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \ return Organization.objects.filter(active = True, admins__in = [ self.request.user.application_user ]).distinct() | \
Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct() Organization.objects.filter(active = True, users__in = [ self.request.user.application_user ]).distinct()
def permissions_check(self, request, obj): def list_permissions_check(self, request, obj=None):
if request.method == 'GET':
# everybody can call get, but it's filtered
return True
if request.method == 'POST':
# superusers have already been cleared, so deny regular users
return False
raise exceptions.NotImplementedError raise exceptions.NotImplementedError
@@ -38,13 +44,13 @@ class OrganizationsDetail(generics.RetrieveUpdateDestroyAPIView):
#def pre_save(self, obj): #def pre_save(self, obj):
# obj.owner = self.request.user # obj.owner = self.request.user
def permissions_check(self, request, obj): def item_permissions_check(self, request, obj):
admin = request.user.application_user in obj.admins.all() admin = request.user.application_user in obj.admins.all()
user = request.user.application_user in obj.users.all() user = request.user.application_user in obj.users.all()
if request.method == 'GET': if request.method == 'GET':
return admin or user return admin or user
if request.method == 'PUT': if request.method == 'PUT':
return admin return admin