External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-06-25 08:28:03 -02:30
Code Issues Packages Projects Releases Wiki Activity

[RBAC] Fix bug where team could not be given read_role to other team (#15067)

Browse Source 
* Fix bug where team could not be given read_role to other team

* Avoid unwanted triggers of parentage granting

* Restructure signal structure

* Fix another bug unmasked by team member permission fix

* Changes to live with test writing

* Use equality as opposed to string "in"

from Seth in review comment

Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>

---------

Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
This commit is contained in:
Alan Rominger
2024-04-05 13:59:18 -04:00
parent a138a92e67
commit c98727d83e
4 changed files with 37 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
awx/main/models/rbac.py
View File

@@ -665,8 +665,6 @@ def sync_parents_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs)
elif action == 'post_clear':
raise RuntimeError('Clearing of role members not supported')
from awx.main.models.organization import Team
if reverse:
parent_role = instance
else:
@@ -680,15 +678,17 @@ def sync_parents_to_new_rbac(instance, action, model, pk_set, reverse, **kwargs)
# To a fault, we want to avoid running this if triggered from implicit_parents management
# we only want to do anything if we know for sure this is a non-implicit team role
if parent_role.role_field not in ('member_role', 'admin_role') or parent_role.content_type.model != 'team':
return
if parent_role.role_field == 'member_role' and parent_role.content_type.model == 'team':
# Team internal parents are member_role->read_role and admin_role->member_role
# for the same object, this parenting will also be implicit_parents management
# do nothing for internal parents, but OTHER teams may still be assigned permissions to a team
if (child_role.content_type_id == parent_role.content_type_id) and (child_role.object_id == parent_role.object_id):
return
# Team member role is a parent of its read role so we want to avoid this
if child_role.role_field == 'read_role' and child_role.content_type.model == 'team':
return
from awx.main.models.organization import Team
team = Team.objects.get(pk=parent_role.object_id)
give_or_remove_permission(child_role, team, giving=is_giving)
team = Team.objects.get(pk=parent_role.object_id)
give_or_remove_permission(child_role, team, giving=is_giving)
m2m_changed.connect(sync_members_to_new_rbac, Role.members.through)