Finish ad hoc command unit tests.

2026-02-28 08:18:43 -03:30 · 2015-04-05 18:31:51 -04:00
parent 0fdb9703ea
commit e2a6f100e1
8 changed files with 563 additions and 134 deletions
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -8,7 +8,7 @@ import logging
 from django.http import Http404

 # Django REST Framework
-from rest_framework.exceptions import PermissionDenied
+from rest_framework.exceptions import MethodNotAllowed, PermissionDenied
 from rest_framework import permissions

 # AWX
@@ -45,7 +45,10 @@ class ModelAccessPermission(permissions.BasePermission):

    def check_post_permissions(self, request, view, obj=None):
        if hasattr(view, 'parent_model'):
-            get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
+            parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
+            if not check_user_access(request.user, view.parent_model, 'read',
+                                     parent_obj):
+                return False
            return True
        elif getattr(view, 'is_job_start', False):
            if not obj:
@@ -108,6 +111,11 @@ class ModelAccessPermission(permissions.BasePermission):
        if request.user.is_superuser:
            return True

+        # Check if view supports the request method before checking permission
+        # based on request method.
+        if request.method.upper() not in view.allowed_methods:
+            raise MethodNotAllowed(request.method)
+
        # Check permissions for the given view and object, based on the request
        # method used.
        check_method = getattr(self, 'check_%s_permissions' % request.method.lower(), None)