External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-21 02:47:35 -02:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1944 from wwitzel3/issue-1910

Browse Source 
Fix access to JT for admin and superuser
This commit is contained in:
Akita Noek
2016-05-19 09:17:29 -04:00
parent c158c9dfe3 1810e80203
commit e8a3e7456d
4 changed files with 5 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
awx/main/fields.py
View File

@@ -225,14 +225,7 @@ class ImplicitRoleField(models.ForeignKey):
parent_roles = set() parent_roles = set()
for path in paths: for path in paths:
if type(path) == tuple: if path.startswith("singleton:"):
for or_path in path:
if or_path.startswith("singleton:"):
raise Exception("Unable to use Singleton role in an OR context.")
parents = resolve_role_field(instance, or_path)
if len(parents) is not 0:
break
elif path.startswith("singleton:"):
singleton_name = path[10:] singleton_name = path[10:]
Role_ = get_current_apps().get_model('main', 'Role') Role_ = get_current_apps().get_model('main', 'Role')
qs = Role_.objects.filter(singleton_name=singleton_name) qs = Role_.objects.filter(singleton_name=singleton_name)

4
awx/main/migrations/0008_v300_rbac_changes.py
View File

@@ -220,7 +220,7 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='jobtemplate', model_name='jobtemplate',
name='admin_role', name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'project.organization.admin_role', b'inventory.organization.admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='jobtemplate', model_name='jobtemplate',
@@ -230,7 +230,7 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='jobtemplate', model_name='jobtemplate',
name='read_role', name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.organization.auditor_role', b'inventory.organization.auditor_role'), b'execute_role', b'admin_role'], to='main.Role', null=b'True'), field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'project.organization.auditor_role', b'inventory.organization.auditor_role', b'execute_role', b'admin_role'], to='main.Role', null=b'True'),
), ),
migrations.AddField( migrations.AddField(
model_name='organization', model_name='organization',

4
awx/main/models/jobs.py
View File

@@ -221,13 +221,13 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
default={}, default={},
) )
admin_role = ImplicitRoleField( admin_role = ImplicitRoleField(
parent_role=[('project.admin_role', 'inventory.admin_role')] parent_role=['project.organization.admin_role', 'inventory.organization.admin_role']
) )
execute_role = ImplicitRoleField( execute_role = ImplicitRoleField(
parent_role=['admin_role'], parent_role=['admin_role'],
) )
read_role = ImplicitRoleField( read_role = ImplicitRoleField(
parent_role=[('project.organization.auditor_role', 'inventory.organization.auditor_role'), 'execute_role', 'admin_role'], parent_role=['project.organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'],
) )
@classmethod @classmethod

29
awx/main/tests/functional/test_rbac_core.py
View File

@@ -4,8 +4,6 @@ from awx.main.models import (
Role, Role,
Organization, Organization,
Project, Project,
JobTemplate,
Inventory,
) )
@@ -221,30 +219,3 @@ def test_auto_parenting():
assert org1.admin_role.is_ancestor_of(prj2.admin_role) is False assert org1.admin_role.is_ancestor_of(prj2.admin_role) is False
assert org2.admin_role.is_ancestor_of(prj1.admin_role) assert org2.admin_role.is_ancestor_of(prj1.admin_role)
assert org2.admin_role.is_ancestor_of(prj2.admin_role) assert org2.admin_role.is_ancestor_of(prj2.admin_role)
@pytest.mark.django_db
def test_OR_parents(alice, bob):
org1 = Organization.objects.create(name="org1")
inv = Inventory.objects.create(name='inv1', organization=org1)
prj = Project.objects.create(name='prj1', organization=org1)
jt1 = JobTemplate.objects.create(name='jt1', inventory=inv)
jt2 = JobTemplate.objects.create(name='jt2', project=prj)
jt3 = JobTemplate.objects.create(name='jt3', inventory=inv, project=prj)
assert bob not in jt1.admin_role
assert alice not in jt2.admin_role
assert bob not in jt3.admin_role
assert alice not in jt3.admin_role
inv.admin_role.members.add(bob)
assert bob in jt1.admin_role
assert alice not in jt1.admin_role
prj.admin_role.members.add(alice)
assert alice in jt2.admin_role
assert bob not in jt2.admin_role
assert alice in jt3.admin_role
assert bob not in jt3.admin_role