fix a bug in OPTIONS /api/v2/schedules/

a side effect of this bug is that `awx schedules create` doesn't work properly for non-admin users (i.e., users who have execute access for a JT) see: https://github.com/ansible/awx/issues/5717
2026-01-13 02:50:02 -03:30 · 2020-03-05 14:43:54 -05:00 · 2020-03-05 14:43:54 -05:00 · cd1ff6b16a
commit cd1ff6b16a
parent e34e88549f
2 changed files with 45 additions and 0 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -2429,6 +2429,11 @@ class ScheduleAccess(BaseAccess):
    def can_add(self, data):
        if not JobLaunchConfigAccess(self.user).can_add(data):
            return False
+        if not data:
+            return UnifiedJobTemplate.accessible_pk_qs(
+                self.user, 'execute_role'
+            ).exists()
+
        return self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role', mandatory=True)

    @check_superuser
--- a/awx/main/tests/functional/api/test_schedules.py
+++ b/awx/main/tests/functional/api/test_schedules.py
@ -365,3 +365,43 @@ def test_zoneinfo(get, admin_user):
    url = reverse('api:schedule_zoneinfo')
    r = get(url, admin_user, expect=200)
    assert {'name': 'America/New_York'} in r.data
+
+
+@pytest.mark.django_db
+def test_normal_user_can_create_ujt_schedule(options, post, project, inventory, alice):
+    jt1 = JobTemplate.objects.create(
+        name='test-jt',
+        project=project,
+        playbook='helloworld.yml',
+        inventory=inventory
+    )
+    jt1.save()
+    url = reverse('api:schedule_list')
+
+    # can't create a schedule on JT1 because we don't have execute rights
+    params = {
+        'name': 'My Example Schedule',
+        'rrule': RRULE_EXAMPLE,
+        'unified_job_template': jt1.id,
+    }
+    assert 'POST' not in options(url, user=alice).data['actions'].keys()
+    post(url, params, alice, expect=403)
+
+    # now we can, because we're allowed to execute JT1
+    jt1.execute_role.members.add(alice)
+    assert 'POST' in options(url, user=alice).data['actions'].keys()
+    post(url, params, alice, expect=201)
+
+    # can't create a schedule on JT2 because we don't have execute rights
+    jt2 = JobTemplate.objects.create(
+        name='test-jt-2',
+        project=project,
+        playbook='helloworld.yml',
+        inventory=inventory
+    )
+    jt2.save()
+    post(url, {
+        'name': 'My Example Schedule',
+        'rrule': RRULE_EXAMPLE,
+        'unified_job_template': jt2.id,
+    }, alice, expect=403)