External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-27 15:58:45 -03:30
Code Issues Packages Projects Releases Wiki Activity

Filter out roles users shouldn't be able to see from parents/children lists

Browse Source
This commit is contained in:
Akita Noek
2016-06-27 11:02:02 -04:00
parent 80b044580d
commit d3476ed52a
1 changed files with 3 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
awx/api/views.py
View File

@@ -3742,10 +3742,9 @@ class RoleParentsList(SubListAPIView):
new_in_300 = True new_in_300 = True
def get_queryset(self): def get_queryset(self):
# XXX: This should be the intersection between the roles of the user
# and the roles that the requesting user has access to see
role = Role.objects.get(pk=self.kwargs['pk']) role = Role.objects.get(pk=self.kwargs['pk'])
return role.parents.all() return Role.filter_visible_roles(self.request.user, role.parents.all())
class RoleChildrenList(SubListAPIView): class RoleChildrenList(SubListAPIView):
@@ -3757,10 +3756,8 @@ class RoleChildrenList(SubListAPIView):
new_in_300 = True new_in_300 = True
def get_queryset(self): def get_queryset(self):
# XXX: This should be the intersection between the roles of the user
# and the roles that the requesting user has access to see
role = Role.objects.get(pk=self.kwargs['pk']) role = Role.objects.get(pk=self.kwargs['pk'])
return role.children.all() return Role.filter_visible_roles(self.request.user, role.children.all())