External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-06-23 23:57:52 -02:30
Code Issues Packages Projects Releases Wiki Activity

enforce read access for team/child roles

Browse Source
This commit is contained in:
Wayne Witzel III
2016-06-27 10:56:34 -04:00
parent fca4e75e03
commit ce3ce8d930
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
awx/main/access.py
View File

@@ -170,8 +170,8 @@ class BaseAccess(object):
return bool(self.can_change(obj, None) and
self.user.can_access(type(sub_obj), 'read', sub_obj))
def can_unattach(self, obj, sub_obj, relationship):
return self.can_change(obj, None)
def can_unattach(self, obj, sub_obj, relationship, data=None):
return self.can_change(obj, data)
def check_license(self, add_host=False, feature=None, check_expiration=True):
reader = TaskSerializer()
@@ -1594,11 +1594,11 @@ class RoleAccess(BaseAccess):
def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False):
return self.can_unattach(obj, sub_obj, relationship)
return self.can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check)
@check_superuser
def can_unattach(self, obj, sub_obj, relationship):
if relationship == 'members':
def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents']:
if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
return False