External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-05 18:51:06 -03:30
Code Issues Packages Projects Releases Wiki Activity

enforce read access for team/child roles

Browse Source
This commit is contained in:
Wayne Witzel III
2016-06-27 10:56:34 -04:00
parent fca4e75e03
commit ce3ce8d930
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awx/api/generics.py
View File

@@ -425,7 +425,7 @@ class SubListCreateAttachDetachAPIView(SubListCreateAPIView):
sub = get_object_or_400(self.model, pk=sub_id) sub = get_object_or_400(self.model, pk=sub_id)
if not request.user.can_access(self.parent_model, 'unattach', parent, if not request.user.can_access(self.parent_model, 'unattach', parent,
sub, self.relationship): sub, self.relationship, request.data):
raise PermissionDenied() raise PermissionDenied()
if parent_key: if parent_key:

2
awx/api/views.py
View File

@@ -1759,7 +1759,7 @@ class GroupChildrenList(SubListCreateAttachDetachAPIView):
sub = get_object_or_400(self.model, pk=sub_id) sub = get_object_or_400(self.model, pk=sub_id)
if not request.user.can_access(self.parent_model, 'unattach', parent, if not request.user.can_access(self.parent_model, 'unattach', parent,
sub, self.relationship): sub, self.relationship, request.data):
raise PermissionDenied() raise PermissionDenied()
if sub.parents.exclude(pk=parent.pk).count() == 0: if sub.parents.exclude(pk=parent.pk).count() == 0:

10
awx/main/access.py
View File

@@ -170,8 +170,8 @@ class BaseAccess(object):
return bool(self.can_change(obj, None) and return bool(self.can_change(obj, None) and
self.user.can_access(type(sub_obj), 'read', sub_obj)) self.user.can_access(type(sub_obj), 'read', sub_obj))
def can_unattach(self, obj, sub_obj, relationship): def can_unattach(self, obj, sub_obj, relationship, data=None):
return self.can_change(obj, None) return self.can_change(obj, data)
def check_license(self, add_host=False, feature=None, check_expiration=True): def check_license(self, add_host=False, feature=None, check_expiration=True):
reader = TaskSerializer() reader = TaskSerializer()
@@ -1594,11 +1594,11 @@ class RoleAccess(BaseAccess):
def can_attach(self, obj, sub_obj, relationship, data, def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False): skip_sub_obj_read_check=False):
return self.can_unattach(obj, sub_obj, relationship) return self.can_unattach(obj, sub_obj, relationship, data, skip_sub_obj_read_check)
@check_superuser @check_superuser
def can_unattach(self, obj, sub_obj, relationship): def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
if relationship == 'members': if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents']:
if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj): if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
return False return False