Fix organization not showing all galaxy credentials for org admin (#13676)

* Fix organization not showing all galaxy credentials for org admin * Add basic test to ensure counts * refactored approach to allow removal of redundant code * Allow configurable prefetch_related * implicitly get related fields * Removed extra queryset code
2026-02-12 15:14:45 -03:30 · 2023-04-25 15:33:42 -04:00
parent 7acc0067f5
commit d8af19d169
4 changed files with 32 additions and 11 deletions
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -510,6 +510,9 @@ class SubListAPIView(ParentMixin, ListAPIView):
    # And optionally (user must have given access permission on parent object
    # to view sublist):
    #   parent_access = 'read'
+    # filter_read_permission sets whether or not to override the default intersection behavior
+    # implemented here
+    filter_read_permission = True

    def get_description_context(self):
        d = super(SubListAPIView, self).get_description_context()
@@ -524,8 +527,14 @@ class SubListAPIView(ParentMixin, ListAPIView):
    def get_queryset(self):
        parent = self.get_parent_object()
        self.check_parent_access(parent)
-        qs = self.request.user.get_queryset(self.model).distinct()
        sublist_qs = self.get_sublist_queryset(parent)
+        if not self.filter_read_permission:
+            access_class = access_registry[self.model]
+            if access_class.prefetch_related:
+                return sublist_qs.prefetch_related(*access_class.prefetch_related)
+            if access_class.select_related:
+                return sublist_qs.select_related(*access_class.select_related)
+        qs = self.request.user.get_queryset(self.model).distinct()
        return qs & sublist_qs

    def get_sublist_queryset(self, parent):
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -2581,16 +2581,7 @@ class JobTemplateCredentialsList(SubListCreateAttachDetachAPIView):
    serializer_class = serializers.CredentialSerializer
    parent_model = models.JobTemplate
    relationship = 'credentials'
-
-    def get_queryset(self):
-        # Return the full list of credentials
-        parent = self.get_parent_object()
-        self.check_parent_access(parent)
-        sublist_qs = getattrd(parent, self.relationship)
-        sublist_qs = sublist_qs.prefetch_related(
-            'created_by', 'modified_by', 'admin_role', 'use_role', 'read_role', 'admin_role__parents', 'admin_role__members'
-        )
-        return sublist_qs
+    filter_read_permission = False

    def is_valid_relation(self, parent, sub, created=False):
        if sub.unique_hash() in [cred.unique_hash() for cred in parent.credentials.all()]:
@@ -2780,6 +2771,7 @@ class JobTemplateInstanceGroupsList(SubListAttachDetachAPIView):
    serializer_class = serializers.InstanceGroupSerializer
    parent_model = models.JobTemplate
    relationship = 'instance_groups'
+    filter_read_permission = False


 class JobTemplateAccessList(ResourceAccessList):
--- a/awx/api/views/organization.py
+++ b/awx/api/views/organization.py
@@ -207,6 +207,7 @@ class OrganizationInstanceGroupsList(SubListAttachDetachAPIView):
    serializer_class = InstanceGroupSerializer
    parent_model = Organization
    relationship = 'instance_groups'
+    filter_read_permission = False


 class OrganizationGalaxyCredentialsList(SubListAttachDetachAPIView):
@@ -214,6 +215,7 @@ class OrganizationGalaxyCredentialsList(SubListAttachDetachAPIView):
    serializer_class = CredentialSerializer
    parent_model = Organization
    relationship = 'galaxy_credentials'
+    filter_read_permission = False

    def is_valid_relation(self, parent, sub, created=False):
        if sub.kind != 'galaxy_api_token':