allow no-op case for vault_credential

2026-01-12 18:40:01 -03:30 · 2017-12-01 10:28:16 -05:00 · 2017-12-01 10:28:16 -05:00 · dfc154ed95
commit dfc154ed95
parent fde5a8850d
2 changed files with 22 additions and 3 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -2446,7 +2446,8 @@ class JobOptionsSerializer(LabelsListMixin, BaseSerializer):
                    cred = v1_credentials[attr] = Credential.objects.get(pk=pk)
                    if cred.credential_type.kind != kind:
                        raise serializers.ValidationError({attr: error})
-                    if view and view.request and view.request.user not in cred.use_role:
+                    if ((not self.instance or cred.pk != getattr(self.instance, attr)) and
+                            view and view.request and view.request.user not in cred.use_role):
                        raise PermissionDenied()

        if 'project' in self.fields and 'playbook' in self.fields:
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@ -136,7 +136,7 @@ class TestJobTemplateCredentials:
            job_template, credential, 'credentials', {})

    def test_job_template_vault_cred_check(self, mocker, job_template, vault_credential, rando, project):
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
        job_template.admin_role.members.add(rando)
        # not allowed to use the vault cred
        # this is checked in the serializer validate method, not access.py
@ -151,9 +151,27 @@ class TestJobTemplateCredentials:
                'ask_inventory_on_launch': True,
            })

+    def test_job_template_vault_cred_check_noop(self, mocker, job_template, vault_credential, rando, project):
+        # TODO: remove in 3.4
+        job_template.credentials.add(vault_credential)
+        job_template.admin_role.members.add(rando)
+        # not allowed to use the vault cred
+        # this is checked in the serializer validate method, not access.py
+        view = mocker.MagicMock()
+        view.request = mocker.MagicMock()
+        view.request.user = rando
+        serializer = JobTemplateSerializer(job_template, context={'view': view})
+        # should not raise error:
+        serializer.validate({
+            'vault_credential': vault_credential.pk,
+            'project': project,  # necessary because job_template fixture fails validation
+            'playbook': 'helloworld.yml',
+            'ask_inventory_on_launch': True,
+        })
+
    def test_new_jt_with_vault(self, mocker, vault_credential, project, rando):
        project.admin_role.members.add(rando)
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
        # this is checked in the serializer validate method, not access.py
        view = mocker.MagicMock()
        view.request = mocker.MagicMock()