External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-16 08:27:29 -02:30
Code Issues Packages Projects Releases Wiki Activity

Fix server error assigning teams EE object roles (#15320)

Browse Source
This commit is contained in:
Alan Rominger
2024-07-03 14:07:03 -04:00
committed by GitHub
parent 94e5795dfc
commit d91af132c1
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
awx/main/models/execution_environments.py
View File

@@ -68,5 +68,5 @@ class ExecutionEnvironment(CommonModel):
raise ValidationError({'user': _('User must have view permission to Execution Environment organization')}) raise ValidationError({'user': _('User must have view permission to Execution Environment organization')})
if actor._meta.model_name == 'team': if actor._meta.model_name == 'team':
organization_cls = self._meta.get_field('organization').related_model organization_cls = self._meta.get_field('organization').related_model
if self.orgaanization not in organization_cls.access_qs(actor, 'view'): if self.organization not in organization_cls.access_qs(actor, 'view'):
raise ValidationError({'team': _('Team must have view permission to Execution Environment organization')}) raise ValidationError({'team': _('Team must have view permission to Execution Environment organization')})

22
awx/main/tests/functional/test_rbac_execution_environment.py
View File

@@ -3,7 +3,7 @@ import pytest
from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes.models import ContentType
from awx.main.access import ExecutionEnvironmentAccess from awx.main.access import ExecutionEnvironmentAccess
from awx.main.models import ExecutionEnvironment, Organization from awx.main.models import ExecutionEnvironment, Organization, Team
from awx.main.models.rbac import get_role_codenames from awx.main.models.rbac import get_role_codenames
from awx.api.versioning import reverse from awx.api.versioning import reverse
@@ -77,6 +77,26 @@ def test_org_member_required_for_assignment(org_ee, ee_rd, rando, admin_user, po
assert 'User must have view permission to Execution Environment organization' in str(r.data) assert 'User must have view permission to Execution Environment organization' in str(r.data)
@pytest.mark.django_db
def test_team_view_permission_required(org_ee, ee_rd, rando, admin_user, post):
org2 = Organization.objects.create(name='a different team')
team = Team.objects.create(name='a team', organization=org2)
team.member_role.members.add(rando)
assert org_ee not in ExecutionEnvironmentAccess(rando).get_queryset() # user can not view the EE
url = django_reverse('roleteamassignment-list')
r = post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=400)
assert 'Team must have view permission to Execution Environment organization' in str(r.data)
org_view_rd = RoleDefinition.objects.create_from_permissions(
name='organization viewer role', permissions=['view_organization'], content_type=ContentType.objects.get_for_model(Organization)
)
org_view_rd.give_permission(team, org_ee.organization)
assert org_ee in ExecutionEnvironmentAccess(rando).get_queryset() # user can view the EE now
# can give object roles to the team now
post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=201)
assert rando.has_obj_perm(org_ee, 'change')
@pytest.mark.django_db @pytest.mark.django_db
def test_give_object_permission_to_ee(org_ee, ee_rd, org_member, check_user_capabilities): def test_give_object_permission_to_ee(org_ee, ee_rd, org_member, check_user_capabilities):
access = ExecutionEnvironmentAccess(org_member) access = ExecutionEnvironmentAccess(org_member)