From c2e9237b1493b337b551d94e67506f382cbc3e59 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Wed, 13 Apr 2016 13:06:08 -0400 Subject: [PATCH] adjusting access based on PR feedback --- awx/main/access.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index 7f5babaa0f..6ea07c318b 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -773,10 +773,6 @@ class JobTemplateAccess(BaseAccess): if self.user.is_superuser: return True - # Must have an inventory if you are not a superuser. - if obj.inventory is None: - return False - if obj.job_type == PERM_INVENTORY_SCAN: # Scan job with default project, must have JT execute or be org admin if obj.project is None and obj.inventory: @@ -859,14 +855,18 @@ class JobAccess(BaseAccess): # A super user can relaunch a job if self.user.is_superuser: return True + # If a user can launch the job template then they can relaunch a job from that # job template - has_perm = False - if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}): - has_perm = True - dep_access_inventory = obj.inventory.accessible_by(self.user, {'use':True}) - dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True}) - return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm + if obj.job_template is not None: + return obj.job_template.accessible_by(self.user, {'execute': True}) + + inventory_access = obj.inventory.accessible_by(self.user, {'use':True}) + + org_access = obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS) + project_access = obj.project is None or obj.project.accessible_by(self.user, ALL_PERMISSIONS) + + return inventory_access and (org_access or project_access) def can_cancel(self, obj): return self.can_read(obj) and obj.can_cancel