External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-26 23:46:05 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3696 from jangsutsr/3535_add_rbac_check_to_project_validate

Browse Source 
Patch up missing org access checks in access.py
This commit is contained in:
Aaron Tan
2016-10-14 14:37:52 -04:00
committed by GitHub
parent 7ea84d92ef 3999ffd52a
commit d9ac461bb8
3 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
awx/main/access.py
View File

@@ -871,6 +871,11 @@ class ProjectAccess(BaseAccess):
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk)
if self.user not in org.admin_role:
return False
return self.user in obj.admin_role return self.user in obj.admin_role
def can_delete(self, obj): def can_delete(self, obj):
@@ -2045,11 +2050,16 @@ class CustomInventoryScriptAccess(BaseAccess):
@check_superuser @check_superuser
def can_admin(self, obj, data=None): def can_admin(self, obj, data=None):
org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk)
if self.user not in org.admin_role:
return False
return self.user in obj.admin_role return self.user in obj.admin_role
@check_superuser @check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
return self.can_admin(obj) return self.can_admin(obj, data=data)
@check_superuser @check_superuser
def can_delete(self, obj): def can_delete(self, obj):

12
awx/main/tests/functional/test_rbac_inventory.py
View File

@@ -9,7 +9,8 @@ from awx.main.models import (
from awx.main.access import ( from awx.main.access import (
InventoryAccess, InventoryAccess,
HostAccess, HostAccess,
InventoryUpdateAccess InventoryUpdateAccess,
CustomInventoryScriptAccess
) )
from django.apps import apps from django.apps import apps
@@ -29,6 +30,15 @@ def test_custom_inv_script_access(organization, user):
organization.admin_role.members.add(ou) organization.admin_role.members.add(ou)
assert ou in custom_inv.admin_role assert ou in custom_inv.admin_role
@pytest.mark.django_db
def test_modify_inv_script_foreign_org_admin(org_admin, organization, organization_factory, project):
custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test',
organization=organization)
other_org = organization_factory('not-my-org').organization
access = CustomInventoryScriptAccess(org_admin)
assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})
@pytest.mark.django_db @pytest.mark.django_db
def test_inventory_admin_user(inventory, permissions, user): def test_inventory_admin_user(inventory, permissions, user):
u = user('admin', False) u = user('admin', False)

7
awx/main/tests/functional/test_rbac_project.py
View File

@@ -217,3 +217,10 @@ def test_create_project_foreign_org_admin(org_admin, organization, organization_
other_org = organization_factory('not-my-org').organization other_org = organization_factory('not-my-org').organization
access = ProjectAccess(org_admin) access = ProjectAccess(org_admin)
assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'}) assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'})
@pytest.mark.django_db
def test_modify_project_foreign_org_admin(org_admin, organization, organization_factory, project):
"""Org admins can only modify projects in their own org."""
other_org = organization_factory('not-my-org').organization
access = ProjectAccess(org_admin)
assert not access.can_change(project, {'organization': other_org.pk, 'name': 'new-project'})