From 7b8c2f5b7491ff3dd5fba16698c6d9fd332464bd Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Thu, 14 Jul 2016 09:53:20 -0400 Subject: [PATCH 1/4] Normalized CustomInventoryScriptAccess.can_admin --- awx/main/access.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/main/access.py b/awx/main/access.py index f47198e4b0..a4e8f466b5 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1556,7 +1556,7 @@ class CustomInventoryScriptAccess(BaseAccess): return self.user in org.admin_role @check_superuser - def can_admin(self, obj): + def can_admin(self, obj, data=None): return self.user in obj.admin_role @check_superuser From bb14c9003debf5fbae29cf8219a5ea568daf98a7 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Thu, 14 Jul 2016 09:54:06 -0400 Subject: [PATCH 2/4] Orphan handling in _old_access.py --- awx/main/migrations/_old_access.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/main/migrations/_old_access.py b/awx/main/migrations/_old_access.py index ce952461ac..da49723a9e 100644 --- a/awx/main/migrations/_old_access.py +++ b/awx/main/migrations/_old_access.py @@ -656,7 +656,7 @@ class TeamAccess(BaseAccess): raise PermissionDenied('Unable to change organization on a team') if self.user.is_superuser: return True - if self.user in obj.organization.deprecated_admins.all(): + if obj.organization and self.user in obj.organization.deprecated_admins.all(): return True return False From 353e6100b927cc2ceb7257ef57b03def24d60fa0 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Thu, 14 Jul 2016 09:54:41 -0400 Subject: [PATCH 3/4] Fix team credential role access in rbac migration --- awx/main/migrations/_rbac.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py index ee4100431e..4a1115c4b3 100644 --- a/awx/main/migrations/_rbac.py +++ b/awx/main/migrations/_rbac.py @@ -198,7 +198,8 @@ def migrate_credential(apps, schema_editor): logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at organization level".format(cred.name, cred.kind, cred.host))) if cred.deprecated_team is not None: - cred.deprecated_team.member_role.children.add(cred.admin_role) + cred.deprecated_team.admin_role.children.add(cred.admin_role) + cred.deprecated_team.member_role.children.add(cred.use_role) cred.save() logger.info(smart_text(u"added Credential(name={}, kind={}, host={}) at user level".format(cred.name, cred.kind, cred.host))) elif cred.deprecated_user is not None: From 6da6f48521ad65e5444980f2b90fb456d88aff85 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Thu, 14 Jul 2016 11:04:06 -0400 Subject: [PATCH 4/4] Updated tests to reflect credential access after migrations --- awx/main/tests/functional/test_rbac_credential.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py index 95a6610a23..3b154d6f42 100644 --- a/awx/main/tests/functional/test_rbac_credential.py +++ b/awx/main/tests/functional/test_rbac_credential.py @@ -28,8 +28,10 @@ def test_two_teams_same_cred_name(organization_factory): rbac.migrate_credential(apps, None) - assert objects.teams.team1.member_role in cred1.admin_role.parents.all() - assert objects.teams.team2.member_role in cred2.admin_role.parents.all() + assert objects.teams.team1.admin_role in cred1.admin_role.parents.all() + assert objects.teams.team2.admin_role in cred2.admin_role.parents.all() + assert objects.teams.team1.member_role in cred1.use_role.parents.all() + assert objects.teams.team2.member_role in cred2.use_role.parents.all() @pytest.mark.django_db def test_credential_use_role(credential, user, permissions): @@ -53,7 +55,7 @@ def test_credential_migration_team_member(credential, team, user, permissions): rbac.migrate_credential(apps, None) # Admin permissions post migration - assert u in credential.admin_role + assert u in credential.use_role @pytest.mark.django_db def test_credential_migration_team_admin(credential, team, user, permissions):