Don't let Org Admins promote themselves to System Admins

Nor System Auditor
2026-01-15 03:40:42 -03:30 · 2016-05-18 16:02:40 -04:00 · 2016-05-18 16:02:40 -04:00 · d79d8cbfba
commit d79d8cbfba
parent 390ac656fa
1 changed files with 18 additions and 10 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1248,17 +1248,25 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
        obj = self.get_object()
        can_change = request.user.can_access(User, 'change', obj, request.data)
        can_admin = request.user.can_access(User, 'admin', obj, request.data)
+
+        su_only_edit_fields = ('is_superuser', 'is_system_auditor')
+        admin_only_edit_fields = ('last_name', 'first_name', 'username', 'is_active')
+
+        fields_to_check = ()
+        if not request.user.is_superuser:
+            fields_to_check += su_only_edit_fields
+
        if can_change and not can_admin:
-            admin_only_edit_fields = ('last_name', 'first_name', 'username',
-                                      'is_active', 'is_superuser')
-            changed = {}
-            for field in admin_only_edit_fields:
-                left = getattr(obj, field, None)
-                right = request.data.get(field, None)
-                if left is not None and right is not None and left != right:
-                    changed[field] = (left, right)
-            if changed:
-                raise PermissionDenied('Cannot change %s.' % ', '.join(changed.keys()))
+            fields_to_check += admin_only_edit_fields
+
+        bad_changes = {}
+        for field in fields_to_check:
+            left = getattr(obj, field, None)
+            right = request.data.get(field, None)
+            if left is not None and right is not None and left != right:
+                bad_changes[field] = (left, right)
+        if bad_changes:
+            raise PermissionDenied('Cannot change %s.' % ', '.join(bad_changes.keys()))

    def destroy(self, request, *args, **kwargs):
        obj = self.get_object()