External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-11 01:57:35 -03:30
Code Issues Packages Projects Releases Wiki Activity

Small tweaks to logic to make is_superuser change take effect

Browse Source
This commit is contained in:
Alan Rominger 2020-12-10 13:59:46 -05:00
parent ee111be261
commit d27afe9691
No known key found for this signature in database
GPG Key ID: C2D7EAAA12B63559
2 changed files with 10 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
awx/api/views/__init__.py
View File

@ -1079,7 +1079,7 @@ class UserTeamsList(SubListAPIView):
class UserRolesList(SubListAttachDetachAPIView):
# view of the roles that a user has associated with their id
model = models.Role
serializer_class = serializers.RoleSerializerWithParentAccess
metadata_class = RoleMetadata
@ -1099,7 +1099,6 @@ class UserRolesList(SubListAttachDetachAPIView):
).exclude(content_type=content_type, object_id=u.id)
def post(self, request, *args, **kwargs):
ret = super(UserRolesList, self).post(request, *args, **kwargs)
sub_id = request.data.get('id', None)
if not sub_id:
return super(UserRolesList, self).post(request)
@ -1108,7 +1107,6 @@ class UserRolesList(SubListAttachDetachAPIView):
role = get_object_or_400(models.Role, pk=sub_id)
credential_content_type = ContentType.objects.get_for_model(models.Credential)
if role.content_type == credential_content_type:
if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))
@ -1117,10 +1115,7 @@ class UserRolesList(SubListAttachDetachAPIView):
if not role.content_object.organization and not request.user.is_superuser:
data = dict(msg=_("You cannot grant private credential access to another user"))
return Response(data, status=status.HTTP_400_BAD_REQUEST)
if request.data.get('id', None) == 1:
request.data['role_field'] = "System Administrator"
request.data["is_superuser"] = True
# this won't work because it doesn't impact the user model, which is where `is_superuser` is found and is what needs to be changed
return super(UserRolesList, self).post(request, *args, **kwargs)
@ -4364,7 +4359,7 @@ class RoleDetail(RetrieveAPIView):
class RoleUsersList(SubListAttachDetachAPIView):
# view of all the users that are within a role
model = models.User
serializer_class = serializers.UserSerializer
parent_model = models.Role

17
awx/main/signals.py
View File

@ -121,15 +121,12 @@ def sync_superuser_status_to_rbac(instance, **kwargs):
Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance)
# def sync_rbac_to_superuser_status(instance, sender, **kwargs):
# 'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that'
# if kwargs['action'] in ['pre_add', 'pre_remove']:
# if hasattr(instance, 'content_type'):
# import sdb;
# sdb.set_trace()
# if instance.content_type_id is None and instance.singleton_name == ROLE_SINGLETON_SYSTEM_ADMINISTRATOR and kwargs['model'].is_superuser == False:
# User.objects.filter(pk=kwargs['pk_set'].pop()).update(is_superuser = (kwargs['action'] == 'pre_add'))
def sync_rbac_to_superuser_status(instance, sender, **kwargs):
'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that'
if kwargs['action'] in ['post_add', 'post_remove']:
if instance.singleton_name == ROLE_SINGLETON_SYSTEM_ADMINISTRATOR:
new_status_value = bool(kwargs['action'] == 'post_add')
kwargs['model'].objects.filter(pk__in=kwargs['pk_set']).update(is_superuser=new_status_value)
def rbac_activity_stream(instance, sender, **kwargs):
@ -208,7 +205,7 @@ m2m_changed.connect(rebuild_role_ancestor_list, Role.parents.through)
m2m_changed.connect(rbac_activity_stream, Role.members.through)
m2m_changed.connect(rbac_activity_stream, Role.parents.through)
post_save.connect(sync_superuser_status_to_rbac, sender=User)
#m2m_changed.connect(sync_rbac_to_superuser_status, Role.members.through)
m2m_changed.connect(sync_rbac_to_superuser_status, Role.members.through)
pre_delete.connect(cleanup_detached_labels_on_deleted_parent, sender=UnifiedJob)
pre_delete.connect(cleanup_detached_labels_on_deleted_parent, sender=UnifiedJobTemplate)