add org admins as able to control EEs even if they don't have the ee_admin role for the specific ee and prevent managed_by_tower EEs from being edited/deleted

2026-01-13 11:00:03 -03:30 · 2021-02-17 14:54:17 -05:00 · 2021-02-17 14:54:17 -05:00 · eaa74b40c1
commit eaa74b40c1
parent cf513b33ee
1 changed files with 4 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1325,7 +1325,7 @@ class ExecutionEnvironmentAccess(BaseAccess):

    def filtered_queryset(self):
        return ExecutionEnvironment.objects.filter(
-            Q(organization__in=Organization.accessible_pk_qs(self.user, 'execution_environment_admin_role')) |
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'member_role')) |
            Q(organization__isnull=True)
        ).distinct()

@ -1337,9 +1337,11 @@ class ExecutionEnvironmentAccess(BaseAccess):

    @check_superuser
    def can_change(self, obj, data):
+        if obj.managed_by_tower is True:
+            raise PermissionDenied
        if obj and obj.organization_id is None:
            raise PermissionDenied
-        if self.user not in obj.organization.execution_environment_admin_role:
+        if self.user not in obj.organization.execution_environment_admin_role and self.user not in obj.organization.admin_role:
            raise PermissionDenied
        org_pk = get_pk_from_dict(data, 'organization')
        if obj and obj.organization_id != org_pk: