From cef7f5a16597119d55958eea2b3dd82d7b27f6e0 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 18 Aug 2016 09:55:20 -0400 Subject: [PATCH] prevent non-superusers from adding orphan users --- awx/api/permissions.py | 9 ++++++++- awx/api/views.py | 1 + 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/awx/api/permissions.py b/awx/api/permissions.py index 6e1320e2d8..285441421d 100644 --- a/awx/api/permissions.py +++ b/awx/api/permissions.py @@ -19,7 +19,7 @@ from awx.main.utils import get_object_or_400 logger = logging.getLogger('awx.api.permissions') __all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission', - 'TaskPermission', 'ProjectUpdatePermission'] + 'TaskPermission', 'ProjectUpdatePermission', 'UserPermission'] class ModelAccessPermission(permissions.BasePermission): ''' @@ -202,3 +202,10 @@ class ProjectUpdatePermission(ModelAccessPermission): def check_post_permissions(self, request, view, obj=None): project = get_object_or_400(view.model, pk=view.kwargs['pk']) return check_user_access(request.user, view.model, 'start', project) + + +class UserPermission(ModelAccessPermission): + def check_post_permissions(self, request, view, obj=None): + if request.user.is_superuser: + return True + raise PermissionDenied() diff --git a/awx/api/views.py b/awx/api/views.py index 0b20304892..a58b706856 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -1152,6 +1152,7 @@ class UserList(ListCreateAPIView): model = User serializer_class = UserSerializer + permission_classes = (UserPermission,) def post(self, request, *args, **kwargs): ret = super(UserList, self).post( request, *args, **kwargs)