Fix RBAC for project updates.

2026-03-04 18:21:03 -03:30 · 2013-11-19 13:26:34 -05:00
parent 216ab5cf41
commit d681d0972a
1 changed files with 3 additions and 16 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -657,10 +657,7 @@ class ProjectAccess(BaseAccess):
 class ProjectUpdateAccess(BaseAccess):
    '''
    I can see project updates when I can see the project.
-    I can change/delete when:
+    I can change when I can change the project.
     - I am a superuser.
     - I am an admin in an organization associated with the project.
     - I created it (for now?).
    '''
    model = ProjectUpdate
@@ -668,18 +665,8 @@ class ProjectUpdateAccess(BaseAccess):
    def get_queryset(self):
        qs = ProjectUpdate.objects.filter(active=True).distinct()
        qs = qs.select_related('created_by', 'project')
-        #if self.user.is_superuser:
+        projects_qs = self.user.get_queryset(Project)
-        return qs
+        return qs.filter(project__in=projects_qs)
        #allowed = [PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
        #return qs.filter(
        #    Q(created_by=self.user) |
        #    Q(organizations__admins__in=[self.user]) |
        #    Q(organizations__users__in=[self.user]) |
        #    Q(teams__users__in=[self.user]) |
        #    Q(permissions__user=self.user, permissions__permission_type__in=allowed) |
        #    Q(permissions__team__users__in=[self.user], permissions__permission_type__in=allowed)
        #)
 class PermissionAccess(BaseAccess):
    '''