From d308946360d69603b57b1f9e111d87bcdff3fd32 Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Tue, 12 Sep 2017 15:16:05 -0400 Subject: [PATCH] Allow system auditor to set their own password --- awx/main/access.py | 6 ++++-- awx/main/tests/functional/test_rbac_user.py | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index d73b877389..257a6b8a84 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -463,8 +463,10 @@ class UserAccess(BaseAccess): def can_change(self, obj, data): if data is not None and ('is_superuser' in data or 'is_system_auditor' in data): - if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or - to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser: + if to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) and \ + not self.user.is_superuser: + return False + if to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True) and not (self.user.is_superuser or self.user == obj): return False # A user can be changed if they are themselves, or by org admins or # superusers. Change permission implies changing only certain fields diff --git a/awx/main/tests/functional/test_rbac_user.py b/awx/main/tests/functional/test_rbac_user.py index 8f307ea0e3..bbfe0267cd 100644 --- a/awx/main/tests/functional/test_rbac_user.py +++ b/awx/main/tests/functional/test_rbac_user.py @@ -44,6 +44,12 @@ def test_system_auditor_is_system_auditor(system_auditor): assert system_auditor.is_system_auditor +@pytest.mark.django_db +def test_system_auditor_can_modify_self(system_auditor): + access = UserAccess(system_auditor) + assert access.can_change(obj=system_auditor, data=dict(is_system_auditor='true')) + + @pytest.mark.django_db def test_user_queryset(user): u = user('pete', False)