Fixes #1477

2026-01-13 11:00:03 -03:30 · 2016-04-12 15:52:49 -04:00 · 2016-04-12 15:52:49 -04:00 · e53c2bdfa5
commit e53c2bdfa5
parent 3e479d5602
1 changed files with 10 additions and 18 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -772,26 +772,18 @@ class JobTemplateAccess(BaseAccess):
        # Super users can start any job
        if self.user.is_superuser:
            return True
-        # Check to make sure both the inventory and project exist
+
+        # Must have an inventory if you are not a superuser.
        if obj.inventory is None:
            return False
+
        if obj.job_type == PERM_INVENTORY_SCAN:
-            if obj.project is None and obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}):
-                return True
-            if not obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}):
-                return False
-        if obj.project is None:
-            return False
+            # Scan job with default project, must have JT execute or be org admin
+            if obj.project is None and obj.inventory:
+                return (obj.accessible_by(self.user, {'execute': True}) or
+                        obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS))

-        # Given explicit execute access to this JobTemplate
-        if obj.accessible_by(self.user, {'execute':True}):
-            return True
-
-        # If the user has admin access to the project they can start a job
-        if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
-            return True
-
-        return obj.inventory.accessible_by(self.user, {'read':True}) and obj.project.accessible_by(self.user, {'read':True})
+        return obj.accessible_by(self.user, {'execute':True})

    def can_change(self, obj, data):
        data_for_change = data
@ -872,7 +864,7 @@ class JobAccess(BaseAccess):
        has_perm = False
        if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}):
            has_perm = True
-        dep_access_inventory = obj.inventory.accessible_by(self.user, {'read':True})
+        dep_access_inventory = obj.inventory.accessible_by(self.user, {'use':True})
        dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True})
        return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm

@ -895,7 +887,7 @@ class SystemJobAccess(BaseAccess):
    '''
    model = SystemJob

-class AdHocCommandAccess(BaseAccess): 
+class AdHocCommandAccess(BaseAccess):
    '''
    I can only see/run ad hoc commands when:
    - I am a superuser.