External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-28 14:25:05 -02:30
Code Issues Packages Projects Releases Wiki Activity

Check inventory access for normal users when deciding what job templates

Browse Source 
show up in the job template queryset
This commit is contained in:
Matthew Jones
2015-06-11 16:24:54 -04:00
parent 32d1c0e4db
commit df61fd6ab8
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
awx/main/access.py
View File

@@ -904,8 +904,21 @@ class JobTemplateAccess(BaseAccess):
inventory__permissions__pk=F('project__permissions__pk'), inventory__permissions__pk=F('project__permissions__pk'),
) )
perm_inventory_read_user_qs = qs.filter(
inventory__permissions__user__in=[self.user],
inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
inventory__permissions__active=True)
perm_inventory_read_team_qs = qs.filter(
inventory__permissions__team__users__in=[self.user],
inventory__permissions__team__active=True,
inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
inventory__permissions__active=True)
perm_inventory = perm_inventory_read_user_qs | perm_inventory_read_team_qs
# FIXME: I *think* this should work... needs more testing. # FIXME: I *think* this should work... needs more testing.
return org_admin_qs | perm_deploy_qs | perm_check_qs return org_admin_qs | (perm_deploy_qs & perm_inventory) | (perm_check_qs & perm_inventory)
def can_read(self, obj): def can_read(self, obj):
# you can only see the job templates that you have permission to launch. # you can only see the job templates that you have permission to launch.