External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-13 02:50:02 -03:30
Code Issues Packages Projects Releases Wiki Activity

Filter out roles users shouldn't be able to see from parents/children lists

Browse Source
This commit is contained in:
Akita Noek 2016-06-27 11:02:02 -04:00
parent 80b044580d
commit d3476ed52a
1 changed files with 3 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
awx/api/views.py
View File

@ -3742,10 +3742,9 @@ class RoleParentsList(SubListAPIView):
new_in_300 = True
def get_queryset(self):
# XXX: This should be the intersection between the roles of the user
# and the roles that the requesting user has access to see
role = Role.objects.get(pk=self.kwargs['pk'])
return role.parents.all()
return Role.filter_visible_roles(self.request.user, role.parents.all())
class RoleChildrenList(SubListAPIView):
@ -3757,10 +3756,8 @@ class RoleChildrenList(SubListAPIView):
new_in_300 = True
def get_queryset(self):
# XXX: This should be the intersection between the roles of the user
# and the roles that the requesting user has access to see
role = Role.objects.get(pk=self.kwargs['pk'])
return role.children.all()
return Role.filter_visible_roles(self.request.user, role.children.all())