mirror of
https://github.com/ansible/awx.git
synced 2026-02-28 16:28:43 -03:30
Cleanup user permissions check, fix bug to allow admin to change own username, first_name and last_name.
This commit is contained in:
Chris Church
@@ -130,10 +130,11 @@ class UserAccess(BaseAccess):
|
|||||||
def can_change(self, obj, data):
|
def can_change(self, obj, data):
|
||||||
# A user can be changed if they are themselves, or by org admins or
|
# A user can be changed if they are themselves, or by org admins or
|
||||||
# superusers.
|
# superusers.
|
||||||
|
if self.user.is_superuser:
|
||||||
|
return True
|
||||||
if self.user == obj:
|
if self.user == obj:
|
||||||
return 'partial'
|
return 'partial'
|
||||||
return bool(self.user.is_superuser or
|
return bool(obj.organizations.filter(admins__in=[self.user]).count())
|
||||||
obj.organizations.filter(admins__in=[self.user]).count())
|
|
||||||
|
|
||||||
def can_delete(self, obj):
|
def can_delete(self, obj):
|
||||||
return bool(self.user.is_superuser or
|
return bool(self.user.is_superuser or
|
||||||
|
|||||||
@@ -78,39 +78,6 @@ PERMISSION_TYPE_CHOICES = [
|
|||||||
(PERM_INVENTORY_CHECK, _('Deploy To Inventory (Dry Run)')),
|
(PERM_INVENTORY_CHECK, _('Deploy To Inventory (Dry Run)')),
|
||||||
]
|
]
|
||||||
|
|
||||||
class EditHelper(object):
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def illegal_changes(cls, request, obj, model_class):
|
|
||||||
''' have any illegal changes been made (for a PUT request)? '''
|
|
||||||
from awx.main.access import check_user_access
|
|
||||||
#can_admin = model_class.can_user_administrate(request.user, obj, request.DATA)
|
|
||||||
can_admin = check_user_access(request.user, User, 'change', obj, request.DATA)
|
|
||||||
if (not can_admin) or (can_admin == 'partial'):
|
|
||||||
check_fields = model_class.admin_only_edit_fields
|
|
||||||
changed = cls.fields_changed(check_fields, obj, request.DATA)
|
|
||||||
if len(changed.keys()) > 0:
|
|
||||||
return True
|
|
||||||
return False
|
|
||||||
|
|
||||||
@classmethod
|
|
||||||
def fields_changed(cls, fields, obj, data):
|
|
||||||
''' return the fields that would be changed by a prospective PUT operation '''
|
|
||||||
changed = {}
|
|
||||||
for f in fields:
|
|
||||||
left = getattr(obj, f, None)
|
|
||||||
if left is None:
|
|
||||||
raise Exception("internal error, %s is not a member of %s" % (f, obj))
|
|
||||||
right = data.get(f, None)
|
|
||||||
if (right is not None) and (left != right):
|
|
||||||
changed[f] = (left, right)
|
|
||||||
return changed
|
|
||||||
|
|
||||||
class UserHelper(object):
|
|
||||||
|
|
||||||
# fields that the user themselves cannot edit, but are not actually read only
|
|
||||||
admin_only_edit_fields = ('last_name', 'first_name', 'username', 'is_active', 'is_superuser')
|
|
||||||
|
|
||||||
class PrimordialModel(models.Model):
|
class PrimordialModel(models.Model):
|
||||||
'''
|
'''
|
||||||
common model for all object types that have these standard fields
|
common model for all object types that have these standard fields
|
||||||
|
|||||||
@@ -178,6 +178,17 @@ class UsersTest(BaseTest):
|
|||||||
self.assertEquals(data['results'][0]['username'], 'admin')
|
self.assertEquals(data['results'][0]['username'], 'admin')
|
||||||
self.assertEquals(data['count'], 1)
|
self.assertEquals(data['count'], 1)
|
||||||
|
|
||||||
|
def test_superuser_can_change_admin_only_fields_about_himself(self):
|
||||||
|
url = reverse('main:user_detail', args=(self.super_django_user.pk,))
|
||||||
|
data = self.get(url, expect=200, auth=self.get_super_credentials())
|
||||||
|
data['username'] += '2'
|
||||||
|
data['first_name'] += ' Awesome'
|
||||||
|
data['last_name'] += ', Jr.'
|
||||||
|
response = self.put(url, data, expect=200,
|
||||||
|
auth=self.get_super_credentials())
|
||||||
|
# FIXME: Test if super user mark himself as no longer a super user, or
|
||||||
|
# delete himself.
|
||||||
|
|
||||||
def test_user_related_resources(self):
|
def test_user_related_resources(self):
|
||||||
|
|
||||||
# organizations the user is a member of, should be 1
|
# organizations the user is a member of, should be 1
|
||||||
|
|||||||
@@ -609,8 +609,19 @@ class UserDetail(BaseDetail):
|
|||||||
def put_filter(self, request, *args, **kwargs):
|
def put_filter(self, request, *args, **kwargs):
|
||||||
''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''
|
''' make sure non-read-only fields that can only be edited by admins, are only edited by admins '''
|
||||||
obj = User.objects.get(pk=kwargs['pk'])
|
obj = User.objects.get(pk=kwargs['pk'])
|
||||||
if EditHelper.illegal_changes(request, obj, UserHelper):
|
can_admin = check_user_access(request.user, User, 'admin', obj, request.DATA)
|
||||||
raise PermissionDenied()
|
if not can_admin or can_admin == 'partial':
|
||||||
|
admin_only_edit_fields = ('last_name', 'first_name', 'username',
|
||||||
|
'is_active', 'is_superuser')
|
||||||
|
changed = {}
|
||||||
|
for field in admin_only_edit_fields:
|
||||||
|
left = getattr(obj, field, None)
|
||||||
|
right = request.DATA.get(field, None)
|
||||||
|
if left is not None and right is not None and left != right:
|
||||||
|
changed[field] = (left, right)
|
||||||
|
if changed:
|
||||||
|
raise PermissionDenied('Cannot change %s' % ', '.join(changed.keys()))
|
||||||
|
|
||||||
if 'password' in request.DATA:
|
if 'password' in request.DATA:
|
||||||
obj.set_password(request.DATA['password'])
|
obj.set_password(request.DATA['password'])
|
||||||
obj.save()
|
obj.save()
|
||||||
|
|||||||
Reference in New Issue
Block a user