External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-01 00:38:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

fix a bug in OPTIONS /api/v2/schedules/

Browse Source 
a side effect of this bug is that `awx schedules create` doesn't work
properly for non-admin users (i.e., users who have execute access for
a JT)

see: https://github.com/ansible/awx/issues/5717
This commit is contained in:
Ryan Petrello
2020-03-05 14:43:54 -05:00
parent e34e88549f
commit cd1ff6b16a
2 changed files with 45 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/main/access.py
View File

@@ -2429,6 +2429,11 @@ class ScheduleAccess(BaseAccess):
def can_add(self, data): def can_add(self, data):
if not JobLaunchConfigAccess(self.user).can_add(data): if not JobLaunchConfigAccess(self.user).can_add(data):
return False return False
if not data:
return UnifiedJobTemplate.accessible_pk_qs(
self.user, 'execute_role'
).exists()
return self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role', mandatory=True) return self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role', mandatory=True)
@check_superuser @check_superuser

40
awx/main/tests/functional/api/test_schedules.py
View File

@@ -365,3 +365,43 @@ def test_zoneinfo(get, admin_user):
url = reverse('api:schedule_zoneinfo') url = reverse('api:schedule_zoneinfo')
r = get(url, admin_user, expect=200) r = get(url, admin_user, expect=200)
assert {'name': 'America/New_York'} in r.data assert {'name': 'America/New_York'} in r.data
@pytest.mark.django_db
def test_normal_user_can_create_ujt_schedule(options, post, project, inventory, alice):
jt1 = JobTemplate.objects.create(
name='test-jt',
project=project,
playbook='helloworld.yml',
inventory=inventory
)
jt1.save()
url = reverse('api:schedule_list')
# can't create a schedule on JT1 because we don't have execute rights
params = {
'name': 'My Example Schedule',
'rrule': RRULE_EXAMPLE,
'unified_job_template': jt1.id,
}
assert 'POST' not in options(url, user=alice).data['actions'].keys()
post(url, params, alice, expect=403)
# now we can, because we're allowed to execute JT1
jt1.execute_role.members.add(alice)
assert 'POST' in options(url, user=alice).data['actions'].keys()
post(url, params, alice, expect=201)
# can't create a schedule on JT2 because we don't have execute rights
jt2 = JobTemplate.objects.create(
name='test-jt-2',
project=project,
playbook='helloworld.yml',
inventory=inventory
)
jt2.save()
post(url, {
'name': 'My Example Schedule',
'rrule': RRULE_EXAMPLE,
'unified_job_template': jt2.id,
}, alice, expect=403)