External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-05-18 06:47:41 -02:30
Code Issues Packages Projects Releases Wiki Activity

Improve the can_user_add model hook to allow it to pre-examine data for context.

Browse Source
This commit is contained in:
Michael DeHaan
2013-03-25 19:00:07 -04:00
parent be1bd56ca2
commit dbfd764acd
5 changed files with 33 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/main/base_views.py
View File

@@ -44,7 +44,7 @@ class BaseList(generics.ListCreateAPIView):
# org admins are allowed to create users # org admins are allowed to create users
return self.request.user.is_superuser or (self.request.user.admin_of_organizations.count() > 0) return self.request.user.is_superuser or (self.request.user.admin_of_organizations.count() > 0)
else: else:
return self.__class__.model.can_user_add(request.user) return self.__class__.model.can_user_add(request.user, self.request.DATA)
raise exceptions.NotImplementedError raise exceptions.NotImplementedError
def get_queryset(self): def get_queryset(self):

22
lib/main/models/__init__.py
View File

@@ -157,7 +157,7 @@ class CommonModel(models.Model):
raise exceptions.NotImplementedError() raise exceptions.NotImplementedError()
@classmethod @classmethod
def can_user_add(cls, user): def can_user_add(cls, user, data):
return user.is_superuser return user.is_superuser
@classmethod @classmethod
@@ -191,7 +191,7 @@ class Tag(models.Model):
return reverse(lib.urls.views_TagsDetail, args=(self.pk,)) return reverse(lib.urls.views_TagsDetail, args=(self.pk,))
@classmethod @classmethod
def can_user_add(cls, user): def can_user_add(cls, user, data):
# anybody can make up tags # anybody can make up tags
return True return True
@@ -284,7 +284,7 @@ class Inventory(CommonModel):
def _has_permission_types(cls, user, obj, allowed): def _has_permission_types(cls, user, obj, allowed):
if user.is_superuser: if user.is_superuser:
return True return True
by_org_admin = user in obj.organization.admins.all() by_org_admin = obj.organization.admins.filter(pk = user.pk).count()
by_team_permission = obj.permissions.filter( by_team_permission = obj.permissions.filter(
team__in = user.teams.all(), team__in = user.teams.all(),
permission_type__in = allowed permission_type__in = allowed
@@ -293,7 +293,21 @@ class Inventory(CommonModel):
user = user, user = user,
permission_type__in = allowed permission_type__in = allowed
).count() ).count()
return (by_org_admin + by_team_permission + by_user_permission) > 0
result = (by_org_admin + by_team_permission + by_user_permission)
return result > 0
@classmethod
def can_user_add(cls, user, data):
if not 'organization' in data:
return False
if user.is_superuser:
return True
if not user.is_superuser:
org = Organization.objects.get(pk=data['organization'])
if user in org.admins.all():
return True
return False
@classmethod @classmethod
def can_user_administrate(cls, user, obj): def can_user_administrate(cls, user, obj):

2
lib/main/serializers.py
View File

@@ -87,7 +87,7 @@ class InventorySerializer(BaseSerializer):
class Meta: class Meta:
model = Inventory model = Inventory
fields = ('url', 'id', 'name', 'description', 'creation_date') fields = ('url', 'id', 'name', 'description', 'creation_date', 'organization')
def get_related(self, obj): def get_related(self, obj):
# FIXME: add related resources: inventories # FIXME: add related resources: inventories

16
lib/main/tests/inventory.py
View File

@@ -91,13 +91,23 @@ class InventoryTest(BaseTest):
data = self.get(inventories_2, expect=403, auth=self.get_nobody_credentials()) data = self.get(inventories_2, expect=403, auth=self.get_nobody_credentials())
# a super user can create inventory # a super user can create inventory
new_inv_1 = dict(name='inventory-c', description='baz', organization=1)
# self.post(url, expect=401, data=new_user, auth=None) data = self.post(inventories, data=new_inv_1, expect=201, auth=self.get_super_credentials())
self.assertEquals(data['id'], 3)
# an org admin of any org can create inventory, if it is one of his organizations # an org admin of any org can create inventory, if it is one of his organizations
# the organization parameter is required # the organization parameter is required!
new_inv_incomplete = dict(name='inventory-d', description='baz')
data = self.post(inventories, data=new_inv_incomplete, expect=403, auth=self.get_normal_credentials())
new_inv_not_my_org = dict(name='inventory-d', description='baz', organization=3)
data = self.post(inventories, data=new_inv_not_my_org, expect=403, auth=self.get_normal_credentials())
new_inv_my_org = dict(name='inventory-d', description='baz', organization=1)
data = self.post(inventories, data=new_inv_my_org, expect=201, auth=self.get_normal_credentials())
# a regular user cannot create inventory # a regular user cannot create inventory
new_inv_denied = dict(name='inventory-e', description='glorp', organization=1)
data = self.post(inventories, data=new_inv_denied, expect=403, auth=self.get_other_credentials())
# a super user can add hosts # a super user can add hosts

2
lib/main/views.py
View File

@@ -282,5 +282,3 @@ class InventoryDetail(BaseDetail):
serializer_class = InventorySerializer serializer_class = InventorySerializer
permission_classes = (CustomRbac,) permission_classes = (CustomRbac,)