diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 42edb07333..43e845af0c 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1079,7 +1079,7 @@ class UserTeamsList(SubListAPIView): class UserRolesList(SubListAttachDetachAPIView): - # view of the roles that a user has associated with their id + model = models.Role serializer_class = serializers.RoleSerializerWithParentAccess metadata_class = RoleMetadata @@ -1099,7 +1099,6 @@ class UserRolesList(SubListAttachDetachAPIView): ).exclude(content_type=content_type, object_id=u.id) def post(self, request, *args, **kwargs): - ret = super(UserRolesList, self).post(request, *args, **kwargs) sub_id = request.data.get('id', None) if not sub_id: return super(UserRolesList, self).post(request) @@ -1108,7 +1107,6 @@ class UserRolesList(SubListAttachDetachAPIView): role = get_object_or_400(models.Role, pk=sub_id) credential_content_type = ContentType.objects.get_for_model(models.Credential) - if role.content_type == credential_content_type: if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role: data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization")) @@ -1117,10 +1115,7 @@ class UserRolesList(SubListAttachDetachAPIView): if not role.content_object.organization and not request.user.is_superuser: data = dict(msg=_("You cannot grant private credential access to another user")) return Response(data, status=status.HTTP_400_BAD_REQUEST) - if request.data.get('id', None) == 1: - request.data['role_field'] = "System Administrator" - request.data["is_superuser"] = True - # this won't work because it doesn't impact the user model, which is where `is_superuser` is found and is what needs to be changed + return super(UserRolesList, self).post(request, *args, **kwargs) @@ -4364,7 +4359,7 @@ class RoleDetail(RetrieveAPIView): class RoleUsersList(SubListAttachDetachAPIView): - # view of all the users that are within a role + model = models.User serializer_class = serializers.UserSerializer parent_model = models.Role diff --git a/awx/main/signals.py b/awx/main/signals.py index 3ecba41b78..34d0003ab9 100644 --- a/awx/main/signals.py +++ b/awx/main/signals.py @@ -121,15 +121,12 @@ def sync_superuser_status_to_rbac(instance, **kwargs): Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance) -# def sync_rbac_to_superuser_status(instance, sender, **kwargs): -# 'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that' -# if kwargs['action'] in ['pre_add', 'pre_remove']: -# if hasattr(instance, 'content_type'): -# import sdb; -# sdb.set_trace() -# if instance.content_type_id is None and instance.singleton_name == ROLE_SINGLETON_SYSTEM_ADMINISTRATOR and kwargs['model'].is_superuser == False: -# User.objects.filter(pk=kwargs['pk_set'].pop()).update(is_superuser = (kwargs['action'] == 'pre_add')) - +def sync_rbac_to_superuser_status(instance, sender, **kwargs): + 'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that' + if kwargs['action'] in ['post_add', 'post_remove']: + if instance.singleton_name == ROLE_SINGLETON_SYSTEM_ADMINISTRATOR: + new_status_value = bool(kwargs['action'] == 'post_add') + kwargs['model'].objects.filter(pk__in=kwargs['pk_set']).update(is_superuser=new_status_value) def rbac_activity_stream(instance, sender, **kwargs): @@ -208,7 +205,7 @@ m2m_changed.connect(rebuild_role_ancestor_list, Role.parents.through) m2m_changed.connect(rbac_activity_stream, Role.members.through) m2m_changed.connect(rbac_activity_stream, Role.parents.through) post_save.connect(sync_superuser_status_to_rbac, sender=User) -#m2m_changed.connect(sync_rbac_to_superuser_status, Role.members.through) +m2m_changed.connect(sync_rbac_to_superuser_status, Role.members.through) pre_delete.connect(cleanup_detached_labels_on_deleted_parent, sender=UnifiedJob) pre_delete.connect(cleanup_detached_labels_on_deleted_parent, sender=UnifiedJobTemplate)