Merge pull request #2933 from AlanCoding/notifier_org_auditor

Allow org auditors to see notifications

awx/main/access.py

@@ -1420,7 +1420,10 @@ class NotificationAccess(BaseAccess):
         qs = self.model.objects.all()
         if self.user.is_superuser or self.user.is_system_auditor:
             return qs
-        return self.model.objects.filter(notification_template__organization__in=Organization.accessible_objects(self.user, 'admin_role'))
+        return self.model.objects.filter(
+            Q(notification_template__organization__in=self.user.admin_of_organizations) |
+            Q(notification_template__organization__in=self.user.auditor_of_organizations)
+        ).distinct()
 
     def can_read(self, obj):
         return self.user.can_access(NotificationTemplate, 'read', obj.notification_template)

awx/main/tests/functional/conftest.py

@@ -38,7 +38,10 @@ from awx.main.models.organization import (
     Team,
 )
 
-from awx.main.models.notifications import NotificationTemplate
+from awx.main.models.notifications import (
+    NotificationTemplate,
+    Notification
+)
 
 '''
 Disable all django model signals.
@@ -193,6 +196,15 @@ def notification_template(organization):
                                                notification_configuration=dict(url="http://localhost",
                                                                                headers={"Test": "Header"}))
 
+@pytest.fixture
+def notification(notification_template):
+    return Notification.objects.create(notification_template=notification_template,
+                                       status='successful',
+                                       notifications_sent=1,
+                                       notification_type='email',
+                                       recipients='admin@redhat.com',
+                                       subject='email subject')
+
 @pytest.fixture
 def job_with_secret_key(job_with_secret_key_factory):
     return job_with_secret_key_factory(persisted=True)

awx/main/tests/functional/test_rbac_notifications.py

@@ -1,6 +1,9 @@
 import pytest
 
-from awx.main.access import NotificationTemplateAccess
+from awx.main.access import (
+    NotificationTemplateAccess,
+    NotificationAccess
+)
 
 @pytest.mark.django_db
 def test_notification_template_get_queryset_orgmember(notification_template, user):
@@ -86,3 +89,31 @@ def test_notificaiton_template_orphan_access_org_admin(notification_template, or
     notification_template.organization = None
     access = NotificationTemplateAccess(org_admin)
     assert not access.can_change(notification_template, {'organization': organization.id})
+
+@pytest.mark.django_db
+def test_notification_access_get_queryset_org_admin(notification, org_admin):
+    access = NotificationAccess(org_admin)
+    assert access.get_queryset().count() == 1
+
+@pytest.mark.django_db
+def test_notification_access_get_queryset_org_auditor(notification, org_auditor):
+    access = NotificationAccess(org_auditor)
+    assert access.get_queryset().count() == 1
+
+@pytest.mark.django_db
+def test_notification_access_system_admin(notification, admin):
+    access = NotificationAccess(admin)
+    assert access.can_read(notification)
+    assert access.can_delete(notification)
+
+@pytest.mark.django_db
+def test_notification_access_org_admin(notification, org_admin):
+    access = NotificationAccess(org_admin)
+    assert access.can_read(notification)
+    assert access.can_delete(notification)
+
+@pytest.mark.django_db
+def test_notification_access_org_auditor(notification, org_auditor):
+    access = NotificationAccess(org_auditor)
+    assert access.can_read(notification)
+    assert not access.can_delete(notification)