mirror of
https://github.com/ansible/awx.git
synced 2026-05-07 17:37:37 -02:30
Merge pull request #4483 from ryanpetrello/multi-owner
fix bug where cred org permission was not checked Reviewed-by: https://github.com/softwarefactory-project-zuul[bot]
This commit is contained in:
softwarefactory-project-zuul[bot]
GitHub
@@ -1168,15 +1168,20 @@ class CredentialAccess(BaseAccess):
|
|||||||
return True
|
return True
|
||||||
if data and data.get('user', None):
|
if data and data.get('user', None):
|
||||||
user_obj = get_object_from_data('user', User, data)
|
user_obj = get_object_from_data('user', User, data)
|
||||||
return bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False))
|
if not bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False)):
|
||||||
|
return False
|
||||||
if data and data.get('team', None):
|
if data and data.get('team', None):
|
||||||
team_obj = get_object_from_data('team', Team, data)
|
team_obj = get_object_from_data('team', Team, data)
|
||||||
return check_user_access(self.user, Team, 'change', team_obj, None)
|
if not check_user_access(self.user, Team, 'change', team_obj, None):
|
||||||
|
return False
|
||||||
if data and data.get('organization', None):
|
if data and data.get('organization', None):
|
||||||
organization_obj = get_object_from_data('organization', Organization, data)
|
organization_obj = get_object_from_data('organization', Organization, data)
|
||||||
return any([check_user_access(self.user, Organization, 'change', organization_obj, None),
|
if not any([check_user_access(self.user, Organization, 'change', organization_obj, None),
|
||||||
self.user in organization_obj.credential_admin_role])
|
self.user in organization_obj.credential_admin_role]):
|
||||||
return False
|
return False
|
||||||
|
if not any(data.get(key, None) for key in ('user', 'team', 'organization')):
|
||||||
|
return False # you have to provide 1 owner field
|
||||||
|
return True
|
||||||
|
|
||||||
@check_superuser
|
@check_superuser
|
||||||
def can_use(self, obj):
|
def can_use(self, obj):
|
||||||
|
|||||||
@@ -74,6 +74,19 @@ def test_org_credential_access_admin(role_name, alice, org_credential):
|
|||||||
'organization': org_credential.organization.pk})
|
'organization': org_credential.organization.pk})
|
||||||
|
|
||||||
|
|
||||||
|
@pytest.mark.django_db
|
||||||
|
def test_org_and_user_credential_access(alice, organization):
|
||||||
|
"""Address specific bug where any user could make an org credential
|
||||||
|
in another org without any permissions to that org
|
||||||
|
"""
|
||||||
|
# Owner is both user and org, but org permission should still be checked
|
||||||
|
assert not CredentialAccess(alice).can_add({
|
||||||
|
'name': 'New credential.',
|
||||||
|
'user': alice.pk,
|
||||||
|
'organization': organization.pk
|
||||||
|
})
|
||||||
|
|
||||||
|
|
||||||
@pytest.mark.django_db
|
@pytest.mark.django_db
|
||||||
def test_org_credential_access_member(alice, org_credential):
|
def test_org_credential_access_member(alice, org_credential):
|
||||||
org_credential.admin_role.members.add(alice)
|
org_credential.admin_role.members.add(alice)
|
||||||
|
|||||||
Reference in New Issue
Block a user