External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-13 11:00:03 -03:30
Code Issues Packages Projects Releases Wiki Activity

enforce read access for team/child roles

Browse Source
This commit is contained in:
Wayne Witzel III 2016-06-27 10:56:34 -04:00
parent fca4e75e03
commit ce3ce8d930
3 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
awx/api/generics.py
View File

@ -425,7 +425,7 @@ class SubListCreateAttachDetachAPIView(SubListCreateAPIView):
sub = get_object_or_400(self.model, pk=sub_id)
if not request.user.can_access(self.parent_model, 'unattach', parent,
sub, self.relationship):
sub, self.relationship, request.data):
raise PermissionDenied()
if parent_key:

2
awx/api/views.py
View File

@ -1759,7 +1759,7 @@ class GroupChildrenList(SubListCreateAttachDetachAPIView):
sub = get_object_or_400(self.model, pk=sub_id)
if not request.user.can_access(self.parent_model, 'unattach', parent,
sub, self.relationship):
sub, self.relationship, request.data):
raise PermissionDenied()
if sub.parents.exclude(pk=parent.pk).count() == 0:

10
awx/main/access.py
View File

@ -170,8 +170,8 @@ class BaseAccess(object):
return bool(self.can_change(obj, None) and
self.user.can_access(type(sub_obj), 'read', sub_obj))
def can_unattach(self, obj, sub_obj, relationship):
return self.can_change(obj, None)
def can_unattach(self, obj, sub_obj, relationship, data=None):
return self.can_change(obj, data)
def check_license(self, add_host=False, feature=None, check_expiration=True):
reader = TaskSerializer()
@ -1594,11 +1594,11 @@ class RoleAccess(BaseAccess):
def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False):
return self.can_unattach(obj, sub_obj, relationship)
return self.can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check)
@check_superuser
def can_unattach(self, obj, sub_obj, relationship):
if relationship == 'members':
def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents']:
if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
return False