Tightened user can_admin access so only sys admins and org admins can admin users

2026-01-13 11:00:03 -03:30 · 2016-03-22 11:40:06 -04:00 · 2016-03-22 11:40:06 -04:00 · cb83ee3ec6
commit cb83ee3ec6
parent 4dcf51e791
1 changed files with 1 additions and 1 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -244,7 +244,7 @@ class UserAccess(BaseAccess):
        # Admin implies changing all user fields.
        if self.user.is_superuser:
            return True
-        return obj.accessible_by(self.user, {'create': True, 'write':True, 'update':True, 'read':True})
+        return Organization.objects.filter(member_role__members=obj, admin_role__members=self.user).exists()

    def can_delete(self, obj):
        if obj == self.user: