From d79d8cbfba3ca2d74cf69a7851c036fca72fdb35 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Wed, 18 May 2016 16:02:40 -0400 Subject: [PATCH] Don't let Org Admins promote themselves to System Admins Nor System Auditor --- awx/api/views.py | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/awx/api/views.py b/awx/api/views.py index d22131e01f..9bd1349253 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -1248,17 +1248,25 @@ class UserDetail(RetrieveUpdateDestroyAPIView): obj = self.get_object() can_change = request.user.can_access(User, 'change', obj, request.data) can_admin = request.user.can_access(User, 'admin', obj, request.data) + + su_only_edit_fields = ('is_superuser', 'is_system_auditor') + admin_only_edit_fields = ('last_name', 'first_name', 'username', 'is_active') + + fields_to_check = () + if not request.user.is_superuser: + fields_to_check += su_only_edit_fields + if can_change and not can_admin: - admin_only_edit_fields = ('last_name', 'first_name', 'username', - 'is_active', 'is_superuser') - changed = {} - for field in admin_only_edit_fields: - left = getattr(obj, field, None) - right = request.data.get(field, None) - if left is not None and right is not None and left != right: - changed[field] = (left, right) - if changed: - raise PermissionDenied('Cannot change %s.' % ', '.join(changed.keys())) + fields_to_check += admin_only_edit_fields + + bad_changes = {} + for field in fields_to_check: + left = getattr(obj, field, None) + right = request.data.get(field, None) + if left is not None and right is not None and left != right: + bad_changes[field] = (left, right) + if bad_changes: + raise PermissionDenied('Cannot change %s.' % ', '.join(bad_changes.keys())) def destroy(self, request, *args, **kwargs): obj = self.get_object()