External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-19 23:07:42 -02:30
Code Issues Packages Projects Releases Wiki Activity

check team permissions if attaching user roles

Browse Source
This commit is contained in:
AlanCoding
2016-06-13 12:34:10 -04:00
parent b485b85076
commit c631761091
3 changed files with 4 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
awx/main/access.py
View File

@@ -660,8 +660,9 @@ class TeamAccess(BaseAccess):
return self.can_change(obj, None) return self.can_change(obj, None)
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs): def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
"Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment." """Reverse obj and sub_obj, defer to RoleAccess if this is an assignment
if relationship == 'member_role.children': of a resource role to the team."""
if isinstance(sub_obj, Role) and isinstance(sub_obj.content_object, ResourceMixin):
role_access = RoleAccess(self.user) role_access = RoleAccess(self.user)
return role_access.can_attach(sub_obj, obj, 'member_role.parents', return role_access.can_attach(sub_obj, obj, 'member_role.parents',
*args, **kwargs) *args, **kwargs)
@@ -669,7 +670,7 @@ class TeamAccess(BaseAccess):
*args, **kwargs) *args, **kwargs)
def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs): def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
if relationship == 'member_role.children': if isinstance(sub_obj, Role) and isinstance(sub_obj.content_object, ResourceMixin):
role_access = RoleAccess(self.user) role_access = RoleAccess(self.user)
return role_access.can_unattach(sub_obj, obj, 'member_role.parents', return role_access.can_unattach(sub_obj, obj, 'member_role.parents',
*args, **kwargs) *args, **kwargs)

3
awx/main/tests/functional/api/test_create_attach_views.py
View File

@@ -15,7 +15,6 @@ def test_user_role_view_access(rando, inventory, mocker, post):
mock_access.can_attach.assert_called_once_with( mock_access.can_attach.assert_called_once_with(
inventory.admin_role, rando, 'members', data, inventory.admin_role, rando, 'members', data,
skip_sub_obj_read_check=False) skip_sub_obj_read_check=False)
assert rando not in inventory.admin_role
@pytest.mark.django_db @pytest.mark.django_db
def test_team_role_view_access(rando, team, inventory, mocker, post): def test_team_role_view_access(rando, team, inventory, mocker, post):
@@ -30,7 +29,6 @@ def test_team_role_view_access(rando, team, inventory, mocker, post):
mock_access.can_attach.assert_called_once_with( mock_access.can_attach.assert_called_once_with(
inventory.admin_role, team, 'member_role.parents', data, inventory.admin_role, team, 'member_role.parents', data,
skip_sub_obj_read_check=False) skip_sub_obj_read_check=False)
assert team not in inventory.admin_role
@pytest.mark.django_db @pytest.mark.django_db
def test_role_team_view_access(rando, team, inventory, mocker, post): def test_role_team_view_access(rando, team, inventory, mocker, post):
@@ -45,4 +43,3 @@ def test_role_team_view_access(rando, team, inventory, mocker, post):
mock_access.assert_called_once_with( mock_access.assert_called_once_with(
inventory.admin_role, team, 'member_role.parents', data, inventory.admin_role, team, 'member_role.parents', data,
skip_sub_obj_read_check=False) skip_sub_obj_read_check=False)
assert team not in inventory.admin_role

1
awx/main/tests/functional/test_rbac_role.py
View File

@@ -30,4 +30,3 @@ def test_role_access_attach(rando, inventory):
inventory.read_role.members.add(rando) inventory.read_role.members.add(rando)
access = RoleAccess(rando) access = RoleAccess(rando)
assert not access.can_attach(inventory.admin_role, rando, 'members', None) assert not access.can_attach(inventory.admin_role, rando, 'members', None)