External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-10 15:32:07 -03:30
Code Issues Packages Projects Releases Wiki Activity

Fix server error assigning teams EE object roles (#15320)

Browse Source
This commit is contained in:
Alan Rominger 2024-07-03 14:07:03 -04:00 committed by GitHub
parent 94e5795dfc
commit d91af132c1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
awx/main/models/execution_environments.py
View File

@ -68,5 +68,5 @@ class ExecutionEnvironment(CommonModel):
raise ValidationError({'user': _('User must have view permission to Execution Environment organization')})
if actor._meta.model_name == 'team':
organization_cls = self._meta.get_field('organization').related_model
if self.orgaanization not in organization_cls.access_qs(actor, 'view'):
if self.organization not in organization_cls.access_qs(actor, 'view'):
raise ValidationError({'team': _('Team must have view permission to Execution Environment organization')})

22
awx/main/tests/functional/test_rbac_execution_environment.py
View File

@ -3,7 +3,7 @@ import pytest
from django.contrib.contenttypes.models import ContentType
from awx.main.access import ExecutionEnvironmentAccess
from awx.main.models import ExecutionEnvironment, Organization
from awx.main.models import ExecutionEnvironment, Organization, Team
from awx.main.models.rbac import get_role_codenames
from awx.api.versioning import reverse
@ -77,6 +77,26 @@ def test_org_member_required_for_assignment(org_ee, ee_rd, rando, admin_user, po
assert 'User must have view permission to Execution Environment organization' in str(r.data)
@pytest.mark.django_db
def test_team_view_permission_required(org_ee, ee_rd, rando, admin_user, post):
org2 = Organization.objects.create(name='a different team')
team = Team.objects.create(name='a team', organization=org2)
team.member_role.members.add(rando)
assert org_ee not in ExecutionEnvironmentAccess(rando).get_queryset() # user can not view the EE
url = django_reverse('roleteamassignment-list')
r = post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=400)
assert 'Team must have view permission to Execution Environment organization' in str(r.data)
org_view_rd = RoleDefinition.objects.create_from_permissions(
name='organization viewer role', permissions=['view_organization'], content_type=ContentType.objects.get_for_model(Organization)
)
org_view_rd.give_permission(team, org_ee.organization)
assert org_ee in ExecutionEnvironmentAccess(rando).get_queryset() # user can view the EE now
# can give object roles to the team now
post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=201)
assert rando.has_obj_perm(org_ee, 'change')
@pytest.mark.django_db
def test_give_object_permission_to_ee(org_ee, ee_rd, org_member, check_user_capabilities):
access = ExecutionEnvironmentAccess(org_member)