External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-07 19:51:08 -03:30
Code Issues Packages Projects Releases Wiki Activity

Fixes #1477

Browse Source
This commit is contained in:
Wayne Witzel III
2016-04-12 15:52:49 -04:00
committed by Wayne Witzel III
parent 3e479d5602
commit e53c2bdfa5
1 changed files with 10 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
awx/main/access.py
View File

@@ -772,26 +772,18 @@ class JobTemplateAccess(BaseAccess):
# Super users can start any job # Super users can start any job
if self.user.is_superuser: if self.user.is_superuser:
return True return True
# Check to make sure both the inventory and project exist
# Must have an inventory if you are not a superuser.
if obj.inventory is None: if obj.inventory is None:
return False return False
if obj.job_type == PERM_INVENTORY_SCAN: if obj.job_type == PERM_INVENTORY_SCAN:
if obj.project is None and obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}): # Scan job with default project, must have JT execute or be org admin
return True if obj.project is None and obj.inventory:
if not obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}): return (obj.accessible_by(self.user, {'execute': True}) or
return False obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS))
if obj.project is None:
return False
# Given explicit execute access to this JobTemplate return obj.accessible_by(self.user, {'execute':True})
if obj.accessible_by(self.user, {'execute':True}):
return True
# If the user has admin access to the project they can start a job
if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
return True
return obj.inventory.accessible_by(self.user, {'read':True}) and obj.project.accessible_by(self.user, {'read':True})
def can_change(self, obj, data): def can_change(self, obj, data):
data_for_change = data data_for_change = data
@@ -872,7 +864,7 @@ class JobAccess(BaseAccess):
has_perm = False has_perm = False
if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}): if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}):
has_perm = True has_perm = True
dep_access_inventory = obj.inventory.accessible_by(self.user, {'read':True}) dep_access_inventory = obj.inventory.accessible_by(self.user, {'use':True})
dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True}) dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True})
return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm
@@ -895,7 +887,7 @@ class SystemJobAccess(BaseAccess):
''' '''
model = SystemJob model = SystemJob
class AdHocCommandAccess(BaseAccess): class AdHocCommandAccess(BaseAccess):
''' '''
I can only see/run ad hoc commands when: I can only see/run ad hoc commands when:
- I am a superuser. - I am a superuser.