mirror of
https://github.com/ansible/awx.git
synced 2026-07-07 22:38:04 -02:30
add org-app endpoint & permissions
This commit is contained in:
@@ -580,13 +580,13 @@ class UserAccess(BaseAccess):
|
||||
|
||||
class OAuth2ApplicationAccess(BaseAccess):
|
||||
'''
|
||||
I can read, change or delete OAuth applications when:
|
||||
I can read, change or delete OAuth 2 applications when:
|
||||
- I am a superuser.
|
||||
- I am the admin of the organization of the user of the application.
|
||||
- I am the user of the application.
|
||||
I can create OAuth applications when:
|
||||
- I am a user in the organization of the application.
|
||||
I can create OAuth 2 applications when:
|
||||
- I am a superuser.
|
||||
- I am the admin of the organization of the user of the application.
|
||||
- I am the admin of the organization of the organization of the application.
|
||||
'''
|
||||
|
||||
model = OAuth2Application
|
||||
@@ -596,50 +596,79 @@ class OAuth2ApplicationAccess(BaseAccess):
|
||||
return self.model.objects.filter(organization__in=self.user.organizations)
|
||||
|
||||
def can_change(self, obj, data):
|
||||
return self.can_read(obj)
|
||||
|
||||
if obj.organization in self.user.admin_of_organizations or self.user.is_superuser:
|
||||
if not self.check_related('organization', Organization, data, role_field='admin_role'):
|
||||
return False
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
def can_delete(self, obj):
|
||||
return self.can_read(obj)
|
||||
if obj.organization in self.user.admin_of_organizations or self.user.is_superuser:
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
def can_add(self, data):
|
||||
if self.user.is_superuser:
|
||||
return True
|
||||
user = get_object_from_data('user', User, data)
|
||||
if not user:
|
||||
return False
|
||||
return set(self.user.admin_of_organizations.all()) & set(user.organizations.all())
|
||||
return True
|
||||
if not data:
|
||||
return Organization.accessible_objects(self.user, 'admin_role').exists()
|
||||
return self.check_related('organization', Organization, data, role_field='admin_role')
|
||||
|
||||
|
||||
class OAuth2TokenAccess(BaseAccess):
|
||||
'''
|
||||
I can read, change or delete an OAuth2 token when:
|
||||
I can read, change or delete an app token when:
|
||||
- I am a superuser.
|
||||
- I am the admin of the organization of the user of the token.
|
||||
- I am the admin of the organization of the application of the token.
|
||||
- I am the user of the token.
|
||||
I can create an OAuth token when:
|
||||
I can create an OAuth2 app token when:
|
||||
- I have the read permission of the related application.
|
||||
|
||||
I can read, change or delete a personal token when:
|
||||
-
|
||||
I can create an OAuth2 Personal Access Token when:
|
||||
- I am a user. But I can only create a PAT for myself.
|
||||
'''
|
||||
|
||||
model = OAuth2AccessToken
|
||||
|
||||
select_related = ('user', 'application')
|
||||
|
||||
def filtered_queryset(self):
|
||||
accessible_users = User.objects.filter(
|
||||
pk__in=self.user.admin_of_organizations.values('member_role__members')
|
||||
) | User.objects.filter(pk=self.user.pk)
|
||||
return self.model.objects.filter(user__in=accessible_users)
|
||||
|
||||
|
||||
def filtered_queryset(self):
|
||||
org_access_qs = Organization.objects.filter(
|
||||
Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
|
||||
return self.model.objects.filter(application__organization__in=org_access_qs) | self.model.objects.filter(user__id=self.user.pk)
|
||||
|
||||
def can_change(self, obj, data):
|
||||
return self.can_read(obj)
|
||||
print 'obj user:', obj.user, '\nself.user:', self.user
|
||||
if (self.user.is_superuser) | (obj.user == self.user):
|
||||
return True
|
||||
elif self.user.is_system_auditor:
|
||||
return False
|
||||
elif not obj.application:
|
||||
return False
|
||||
return self.user in obj.application.organization.admin_role
|
||||
|
||||
def can_delete(self, obj):
|
||||
return self.can_read(obj)
|
||||
if (self.user.is_superuser) | (obj.user == self.user):
|
||||
return True
|
||||
elif self.user.is_system_auditor:
|
||||
return False
|
||||
elif not obj.application:
|
||||
return False
|
||||
return self.user in obj.application.organization.admin_role
|
||||
|
||||
def can_add(self, data):
|
||||
app = get_object_from_data('application', OAuth2Application, data)
|
||||
if not app:
|
||||
return True
|
||||
return OAuth2ApplicationAccess(self.user).can_read(app)
|
||||
if 'application' in data:
|
||||
app = get_object_from_data('application', OAuth2Application, data)
|
||||
if self.user.is_system_auditor:
|
||||
return False
|
||||
elif app is None:
|
||||
return True
|
||||
return OAuth2ApplicationAccess(self.user).can_read(app)
|
||||
return True
|
||||
|
||||
|
||||
class OrganizationAccess(BaseAccess):
|
||||
|
||||
Reference in New Issue
Block a user