Merge pull request #4483 from ryanpetrello/multi-owner

fix bug where cred org permission was not checked Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]
2026-01-16 12:20:45 -03:30 · 2019-08-14 19:54:57 +00:00 · 2019-08-14 19:54:57 +00:00 · c35fbd6853
commit c35fbd6853
parent 8df70f5412 4831cde39f
2 changed files with 23 additions and 5 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1168,15 +1168,20 @@ class CredentialAccess(BaseAccess):
            return True
        if data and data.get('user', None):
            user_obj = get_object_from_data('user', User, data)
-            return bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False))
+            if not bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False)):
+                return False
        if data and data.get('team', None):
            team_obj = get_object_from_data('team', Team, data)
-            return check_user_access(self.user, Team, 'change', team_obj, None)
+            if not check_user_access(self.user, Team, 'change', team_obj, None):
+                return False
        if data and data.get('organization', None):
            organization_obj = get_object_from_data('organization', Organization, data)
-            return any([check_user_access(self.user, Organization, 'change', organization_obj, None),
-                        self.user in organization_obj.credential_admin_role])
-        return False
+            if not any([check_user_access(self.user, Organization, 'change', organization_obj, None),
+                        self.user in organization_obj.credential_admin_role]):
+                return False
+        if not any(data.get(key, None) for key in ('user', 'team', 'organization')):
+            return False  # you have to provide 1 owner field
+        return True

    @check_superuser
    def can_use(self, obj):
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@ -74,6 +74,19 @@ def test_org_credential_access_admin(role_name, alice, org_credential):
        'organization': org_credential.organization.pk})


+@pytest.mark.django_db
+def test_org_and_user_credential_access(alice, organization):
+    """Address specific bug where any user could make an org credential
+    in another org without any permissions to that org
+    """
+    # Owner is both user and org, but org permission should still be checked
+    assert not CredentialAccess(alice).can_add({
+        'name': 'New credential.',
+        'user': alice.pk,
+        'organization': organization.pk
+    })
+
+
@pytest.mark.django_db
 def test_org_credential_access_member(alice, org_credential):
    org_credential.admin_role.members.add(alice)