External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-09 21:49:27 -02:30
Code Issues Packages Projects Releases Wiki Activity

update access calls to new RBAC roles

Browse Source
This commit is contained in:
Wayne Witzel III
2016-04-15 10:45:33 -04:00
parent 6d34ca9d22
commit eae7349665
2 changed files with 73 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
awx/main/access.py
View File

@@ -23,7 +23,7 @@ from awx.main.task_engine import TaskSerializer
from awx.main.conf import tower_settings from awx.main.conf import tower_settings
__all__ = ['get_user_queryset', 'check_user_access', __all__ = ['get_user_queryset', 'check_user_access',
'user_accessible_objects', 'user_accessible_by', 'user_accessible_objects',
'user_admin_role',] 'user_admin_role',]
PERMISSION_TYPES = [ PERMISSION_TYPES = [
@@ -65,17 +65,8 @@ def register_access(model_class, access_class):
def user_admin_role(self): def user_admin_role(self):
return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=self.id) return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=self.id)
def user_accessible_objects(user, permissions): def user_accessible_objects(user, role):
return ResourceMixin._accessible_objects(User, user, permissions) return ResourceMixin._accessible_objects(User, user, role)
def user_accessible_by(instance, user, permissions):
perms = get_user_permissions_on_resource(instance, user)
if perms is None:
return False
for k in permissions:
if k not in perms or perms[k] < permissions[k]:
return False
return True
def get_user_queryset(user, model_class): def get_user_queryset(user, model_class):
''' '''
@@ -229,7 +220,7 @@ class UserAccess(BaseAccess):
return False return False
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return Organization.accessible_objects(self.user, ALL_PERMISSIONS).exists() return Organization.accessible_objects(self.user, 'admin_role').exists()
def can_change(self, obj, data): def can_change(self, obj, data):
if data is not None and 'is_superuser' in data: if data is not None and 'is_superuser' in data:
@@ -256,7 +247,7 @@ class UserAccess(BaseAccess):
return False return False
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, {'delete': True}) return False
class OrganizationAccess(BaseAccess): class OrganizationAccess(BaseAccess):
@@ -272,13 +263,13 @@ class OrganizationAccess(BaseAccess):
model = Organization model = Organization
def get_queryset(self): def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('created_by', 'modified_by').all() return qs.select_related('created_by', 'modified_by').all()
def can_change(self, obj, data): def can_change(self, obj, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.admin_role
def can_delete(self, obj): def can_delete(self, obj):
self.check_license(feature='multiple_organizations', check_expiration=False) self.check_license(feature='multiple_organizations', check_expiration=False)
@@ -307,29 +298,29 @@ class InventoryAccess(BaseAccess):
model = Inventory model = Inventory
def get_queryset(self, allowed=None, ad_hoc=None): def get_queryset(self, allowed=None, ad_hoc=None):
qs = self.model.accessible_objects(self.user, {'read': True}) qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('created_by', 'modified_by', 'organization').all() return qs.select_related('created_by', 'modified_by', 'organization').all()
def can_read(self, obj): def can_read(self, obj):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, {'read': True}) return self.user in obj.read_role
def can_use(self, obj): def can_use(self, obj):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, {'use': True}) return self.user in obj.use_role
def can_add(self, data): def can_add(self, data):
# If no data is specified, just checking for generic add permission? # If no data is specified, just checking for generic add permission?
if not data: if not data:
return Organization.accessible_objects(self.user, ALL_PERMISSIONS).exists() return Organization.accessible_objects(self.user, 'admin_role').exists()
if self.user.is_superuser: if self.user.is_superuser:
return True return True
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
return org.accessible_by(self.user, {'read': True, 'create':True, 'update': True, 'delete': True}) return self.user in org.admin_role
def can_change(self, obj, data): def can_change(self, obj, data):
# Verify that the user has access to the new organization if moving an # Verify that the user has access to the new organization if moving an
@@ -337,10 +328,10 @@ class InventoryAccess(BaseAccess):
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization.pk != org_pk: if obj and org_pk and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
if not org.accessible_by(self.user, {'read': True, 'create':True, 'update': True, 'delete': True}): if self.user not in org.admin_role:
return False return False
# Otherwise, just check for write permission. # Otherwise, just check for write permission.
return obj.accessible_by(self.user, {'read': True, 'create':True, 'update': True, 'delete': True}) return self.user in obj.admin_role
def can_admin(self, obj, data): def can_admin(self, obj, data):
# Verify that the user has access to the new organization if moving an # Verify that the user has access to the new organization if moving an
@@ -348,16 +339,16 @@ class InventoryAccess(BaseAccess):
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization.pk != org_pk: if obj and org_pk and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
if not org.accessible_by(self.user, ALL_PERMISSIONS): if self.user not in org.admin_role:
return False return False
# Otherwise, just check for admin permission. # Otherwise, just check for admin permission.
return obj.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.admin_role
def can_delete(self, obj): def can_delete(self, obj):
return self.can_admin(obj, None) return self.can_admin(obj, None)
def can_run_ad_hoc_commands(self, obj): def can_run_ad_hoc_commands(self, obj):
return obj.accessible_by(self.user, {'execute': True}) return self.user in adhoc_role
class HostAccess(BaseAccess): class HostAccess(BaseAccess):
''' '''
@@ -368,14 +359,14 @@ class HostAccess(BaseAccess):
model = Host model = Host
def get_queryset(self): def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
qs = qs.select_related('created_by', 'modified_by', 'inventory', qs = qs.select_related('created_by', 'modified_by', 'inventory',
'last_job__job_template', 'last_job__job_template',
'last_job_host_summary__job') 'last_job_host_summary__job')
return qs.prefetch_related('groups').all() return qs.prefetch_related('groups').all()
def can_read(self, obj): def can_read(self, obj):
return obj and obj.inventory.accessible_by(self.user, {'read':True}) return obj and self.user in obj.read_role
def can_add(self, data): def can_add(self, data):
if not data or 'inventory' not in data: if not data or 'inventory' not in data:
@@ -384,7 +375,7 @@ class HostAccess(BaseAccess):
# Checks for admin or change permission on inventory. # Checks for admin or change permission on inventory.
inventory_pk = get_pk_from_dict(data, 'inventory') inventory_pk = get_pk_from_dict(data, 'inventory')
inventory = get_object_or_400(Inventory, pk=inventory_pk) inventory = get_object_or_400(Inventory, pk=inventory_pk)
if not inventory.accessible_by(self.user, {'read':True, 'create':True}): if self.user not in inventory.admin_role:
return False return False
# Check to see if we have enough licenses # Check to see if we have enough licenses
@@ -398,7 +389,7 @@ class HostAccess(BaseAccess):
raise PermissionDenied('Unable to change inventory on a host') raise PermissionDenied('Unable to change inventory on a host')
# Checks for admin or change permission on inventory, controls whether # Checks for admin or change permission on inventory, controls whether
# the user can edit variable data. # the user can edit variable data.
return obj and obj.inventory.accessible_by(self.user, {'read':True, 'update':True, 'write':True}) return obj and self.user in obj.inventory.admin_role
def can_attach(self, obj, sub_obj, relationship, data, def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False): skip_sub_obj_read_check=False):
@@ -411,7 +402,7 @@ class HostAccess(BaseAccess):
return True return True
def can_delete(self, obj): def can_delete(self, obj):
return obj and obj.inventory.accessible_by(self.user, {'delete':True}) return obj and self.user in obj.inventory.admin_role
class GroupAccess(BaseAccess): class GroupAccess(BaseAccess):
''' '''
@@ -422,12 +413,12 @@ class GroupAccess(BaseAccess):
model = Group model = Group
def get_queryset(self): def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
qs = qs.select_related('created_by', 'modified_by', 'inventory') qs = qs.select_related('created_by', 'modified_by', 'inventory')
return qs.prefetch_related('parents', 'children', 'inventory_source').all() return qs.prefetch_related('parents', 'children', 'inventory_source').all()
def can_read(self, obj): def can_read(self, obj):
return obj and obj.inventory.accessible_by(self.user, {'read':True}) return obj and self.user in obj.inventory.read_role
def can_add(self, data): def can_add(self, data):
if not data or 'inventory' not in data: if not data or 'inventory' not in data:
@@ -435,7 +426,7 @@ class GroupAccess(BaseAccess):
# Checks for admin or change permission on inventory. # Checks for admin or change permission on inventory.
inventory_pk = get_pk_from_dict(data, 'inventory') inventory_pk = get_pk_from_dict(data, 'inventory')
inventory = get_object_or_400(Inventory, pk=inventory_pk) inventory = get_object_or_400(Inventory, pk=inventory_pk)
return inventory.accessible_by(self.user, {'read':True, 'create':True}) return self.user in inventory.admin_role
def can_change(self, obj, data): def can_change(self, obj, data):
# Prevent moving a group to a different inventory. # Prevent moving a group to a different inventory.
@@ -444,7 +435,7 @@ class GroupAccess(BaseAccess):
raise PermissionDenied('Unable to change inventory on a group') raise PermissionDenied('Unable to change inventory on a group')
# Checks for admin or change permission on inventory, controls whether # Checks for admin or change permission on inventory, controls whether
# the user can attach subgroups or edit variable data. # the user can attach subgroups or edit variable data.
return obj and obj.inventory.accessible_by(self.user, {'read':True, 'update':True, 'write':True}) return obj and self.user in obj.inventory.admin_role
def can_attach(self, obj, sub_obj, relationship, data, def can_attach(self, obj, sub_obj, relationship, data,
skip_sub_obj_read_check=False): skip_sub_obj_read_check=False):
@@ -465,7 +456,7 @@ class GroupAccess(BaseAccess):
return True return True
def can_delete(self, obj): def can_delete(self, obj):
return obj and obj.inventory.accessible_by(self.user, {'delete':True}) return obj and self.user in obj.inventory.admin_role
class InventorySourceAccess(BaseAccess): class InventorySourceAccess(BaseAccess):
''' '''
@@ -484,9 +475,9 @@ class InventorySourceAccess(BaseAccess):
def can_read(self, obj): def can_read(self, obj):
if obj and obj.group: if obj and obj.group:
return obj.group.accessible_by(self.user, {'read':True}) return self.user in obj.group.read_role
elif obj and obj.inventory: elif obj and obj.inventory:
return obj.inventory.accessible_by(self.user, {'read':True}) return self.user in obj.inventory.read_role
else: else:
return False return False
@@ -497,7 +488,7 @@ class InventorySourceAccess(BaseAccess):
def can_change(self, obj, data): def can_change(self, obj, data):
# Checks for admin or change permission on group. # Checks for admin or change permission on group.
if obj and obj.group: if obj and obj.group:
return obj.group.accessible_by(self.user, {'read':True, 'update':True, 'write':True}) return self.user in obj.group.admin_role
# Can't change inventory sources attached to only the inventory, since # Can't change inventory sources attached to only the inventory, since
# these are created automatically from the management command. # these are created automatically from the management command.
else: else:
@@ -547,11 +538,11 @@ class CredentialAccess(BaseAccess):
"""Return the queryset for credentials, based on what the user is """Return the queryset for credentials, based on what the user is
permitted to see. permitted to see.
""" """
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('created_by', 'modified_by').all() return qs.select_related('created_by', 'modified_by').all()
def can_read(self, obj): def can_read(self, obj):
return obj.accessible_by(self.user, {'read': True}) return self.user in obj.read_role
def can_add(self, data): def can_add(self, data):
# Access enforced in our view where we have context enough to make a decision # Access enforced in our view where we have context enough to make a decision
@@ -560,12 +551,12 @@ class CredentialAccess(BaseAccess):
def can_use(self, obj): def can_use(self, obj):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, {'use': True}) return self.user in obj.use_role
def can_change(self, obj, data): def can_change(self, obj, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, {'read':True, 'update': True, 'delete':True}) return self.user in obj.admin_role
def can_delete(self, obj): def can_delete(self, obj):
# Unassociated credentials may be marked deleted by anyone, though we # Unassociated credentials may be marked deleted by anyone, though we
@@ -588,7 +579,7 @@ class TeamAccess(BaseAccess):
model = Team model = Team
def get_queryset(self): def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('created_by', 'modified_by', 'organization').all() return qs.select_related('created_by', 'modified_by', 'organization').all()
def can_add(self, data): def can_add(self, data):
@@ -597,7 +588,7 @@ class TeamAccess(BaseAccess):
else: else:
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
if org.accessible_by(self.user, {'read':True, 'update':True, 'write':True}): if self.user in org.admin_role:
return True return True
return False return False
@@ -606,7 +597,7 @@ class TeamAccess(BaseAccess):
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization.pk != org_pk: if obj and org_pk and obj.organization.pk != org_pk:
raise PermissionDenied('Unable to change organization on a team') raise PermissionDenied('Unable to change organization on a team')
return obj.organization.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.organization.admin_role
def can_delete(self, obj): def can_delete(self, obj):
return self.can_change(obj, None) return self.can_change(obj, None)
@@ -632,19 +623,19 @@ class ProjectAccess(BaseAccess):
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser:
return self.model.objects.all() return self.model.objects.all()
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('modified_by', 'credential', 'current_job', 'last_job').all() return qs.select_related('modified_by', 'credential', 'current_job', 'last_job').all()
def can_add(self, data): def can_add(self, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
qs = Organization.accessible_objects(self.user, ALL_PERMISSIONS) qs = Organization.accessible_objects(self.user, 'admin_role')
return qs.exists() return qs.exists()
def can_change(self, obj, data): def can_change(self, obj, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.admin_role
def can_delete(self, obj): def can_delete(self, obj):
return self.can_change(obj, None) return self.can_change(obj, None)
@@ -673,7 +664,7 @@ class ProjectUpdateAccess(BaseAccess):
return self.can_change(obj, {}) and obj.can_cancel return self.can_change(obj, {}) and obj.can_cancel
def can_delete(self, obj): def can_delete(self, obj):
return obj and obj.project.accessible_by(self.user, {'delete':True}) return obj and self.user in obj.project.admin_role
class JobTemplateAccess(BaseAccess): class JobTemplateAccess(BaseAccess):
''' '''
@@ -694,7 +685,7 @@ class JobTemplateAccess(BaseAccess):
if self.user.is_superuser: if self.user.is_superuser:
qs = self.model.objects.all() qs = self.model.objects.all()
else: else:
qs = self.model.accessible_objects(self.user, {'read':True}) qs = self.model.accessible_objects(self.user, 'read_role')
return qs.select_related('created_by', 'modified_by', 'inventory', 'project', return qs.select_related('created_by', 'modified_by', 'inventory', 'project',
'credential', 'cloud_credential', 'next_schedule').all() 'credential', 'cloud_credential', 'next_schedule').all()
@@ -726,7 +717,7 @@ class JobTemplateAccess(BaseAccess):
credential_pk = get_pk_from_dict(data, 'credential') credential_pk = get_pk_from_dict(data, 'credential')
if credential_pk: if credential_pk:
credential = get_object_or_400(Credential, pk=credential_pk) credential = get_object_or_400(Credential, pk=credential_pk)
if not credential.accessible_by(self.user, {'read':True}): if self.user not in credential.read_role:
return False return False
# If a cloud credential is provided, the user should have read access. # If a cloud credential is provided, the user should have read access.
@@ -734,7 +725,7 @@ class JobTemplateAccess(BaseAccess):
if cloud_credential_pk: if cloud_credential_pk:
cloud_credential = get_object_or_400(Credential, cloud_credential = get_object_or_400(Credential,
pk=cloud_credential_pk) pk=cloud_credential_pk)
if not cloud_credential.accessible_by(self.user, {'read':True}): if self.user not in cloud_credential.read_role:
return False return False
# Check that the given inventory ID is valid. # Check that the given inventory ID is valid.
@@ -746,7 +737,7 @@ class JobTemplateAccess(BaseAccess):
project_pk = get_pk_from_dict(data, 'project') project_pk = get_pk_from_dict(data, 'project')
if 'job_type' in data and data['job_type'] == PERM_INVENTORY_SCAN: if 'job_type' in data and data['job_type'] == PERM_INVENTORY_SCAN:
org = inventory[0].organization org = inventory[0].organization
accessible = org.accessible_by(self.user, {'read':True, 'update':True, 'write':True}) accessible = self.user in org.admin_role
if not project_pk and accessible: if not project_pk and accessible:
return True return True
elif not accessible: elif not accessible:
@@ -754,10 +745,10 @@ class JobTemplateAccess(BaseAccess):
# If the user has admin access to the project (as an org admin), should # If the user has admin access to the project (as an org admin), should
# be able to proceed without additional checks. # be able to proceed without additional checks.
project = get_object_or_400(Project, pk=project_pk) project = get_object_or_400(Project, pk=project_pk)
if project.accessible_by(self.user, ALL_PERMISSIONS): if self.user in project.admin_role:
return True return True
return project.accessible_by(self.user, ALL_PERMISSIONS) and inventory.accessible_by(self.user, {'read':True}) return self.user in project.admin_role and self.user in inventory.read_role
def can_start(self, obj, validate_license=True): def can_start(self, obj, validate_license=True):
# Check license. # Check license.
@@ -775,10 +766,10 @@ class JobTemplateAccess(BaseAccess):
if obj.job_type == PERM_INVENTORY_SCAN: if obj.job_type == PERM_INVENTORY_SCAN:
# Scan job with default project, must have JT execute or be org admin # Scan job with default project, must have JT execute or be org admin
if obj.project is None and obj.inventory: if obj.project is None and obj.inventory:
return (obj.accessible_by(self.user, {'execute': True}) or return (self.user in obj.execute_role or
obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS)) self.user in obj.inventory.organization.admin_role)
return obj.accessible_by(self.user, {'execute':True}) return self.user in obj.execute_role
def can_change(self, obj, data): def can_change(self, obj, data):
data_for_change = data data_for_change = data
@@ -813,7 +804,7 @@ class JobAccess(BaseAccess):
credential_ids = self.user.get_queryset(Credential) credential_ids = self.user.get_queryset(Credential)
return qs.filter( return qs.filter(
credential_id__in=credential_ids, credential_id__in=credential_ids,
job_template__in=JobTemplate.accessible_objects(self.user, {'read': True}) job_template__in=JobTemplate.accessible_objects(self.user, 'read_role')
) )
def can_add(self, data): def can_add(self, data):
@@ -846,7 +837,7 @@ class JobAccess(BaseAccess):
# Allow org admins and superusers to delete jobs # Allow org admins and superusers to delete jobs
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.inventory.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.inventory.admin_role
def can_start(self, obj): def can_start(self, obj):
self.check_license() self.check_license()
@@ -858,12 +849,12 @@ class JobAccess(BaseAccess):
# If a user can launch the job template then they can relaunch a job from that # If a user can launch the job template then they can relaunch a job from that
# job template # job template
if obj.job_template is not None: if obj.job_template is not None:
return obj.job_template.accessible_by(self.user, {'execute': True}) return self.user in obj.job_template.execute_role
inventory_access = obj.inventory.accessible_by(self.user, {'use':True}) inventory_access = self.user in obj.inventory.use_role
org_access = obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS) org_access = self.user in obj.inventory.organization.admin_role
project_access = obj.project is None or obj.project.accessible_by(self.user, ALL_PERMISSIONS) project_access = obj.project is None or self.user in obj.project.admin_role
return inventory_access and (org_access or project_access) return inventory_access and (org_access or project_access)
@@ -905,7 +896,7 @@ class AdHocCommandAccess(BaseAccess):
return qs.all() return qs.all()
credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True)) credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
inventory_qs = Inventory.accessible_objects(self.user, {'read': True, 'execute': True}) inventory_qs = Inventory.accessible_objects(self.user, 'execute_role')
return qs.filter(credential_id__in=credential_ids, return qs.filter(credential_id__in=credential_ids,
inventory__in=inventory_qs) inventory__in=inventory_qs)
@@ -920,7 +911,7 @@ class AdHocCommandAccess(BaseAccess):
credential_pk = get_pk_from_dict(data, 'credential') credential_pk = get_pk_from_dict(data, 'credential')
if credential_pk: if credential_pk:
credential = get_object_or_400(Credential, pk=credential_pk) credential = get_object_or_400(Credential, pk=credential_pk)
if not credential.accessible_by(self.user, {'read':True}): if self.user not in credential.read_role:
return False return False
# Check that the user has the run ad hoc command permission on the # Check that the user has the run ad hoc command permission on the
@@ -928,7 +919,7 @@ class AdHocCommandAccess(BaseAccess):
inventory_pk = get_pk_from_dict(data, 'inventory') inventory_pk = get_pk_from_dict(data, 'inventory')
if inventory_pk: if inventory_pk:
inventory = get_object_or_400(Inventory, pk=inventory_pk) inventory = get_object_or_400(Inventory, pk=inventory_pk)
if not inventory.accessible_by(self.user, {'execute': True}): if self.user not in inventory.execute_role:
return False return False
return True return True
@@ -1188,23 +1179,23 @@ class NotifierAccess(BaseAccess):
qs = self.model.objects.all() qs = self.model.objects.all()
if self.user.is_superuser: if self.user.is_superuser:
return qs return qs
return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, ALL_PERMISSIONS).all()) return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role').all())
def can_read(self, obj): def can_read(self, obj):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
if obj.organization is not None: if obj.organization is not None:
return obj.organization.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.organization.admin_role
return False return False
def can_add(self, data): def can_add(self, data):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
if not data: if not data:
return Organization.accessible_objects(self.user, ALL_PERMISSIONS).exists() return Organization.accessible_objects(self.user, 'admin_role').exists()
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
return org.accessible_by(self.user, ALL_PERMISSIONS) return self.user in org.admin_role
def can_change(self, obj, data): def can_change(self, obj, data):
if self.user.is_superuser: if self.user.is_superuser:
@@ -1212,10 +1203,10 @@ class NotifierAccess(BaseAccess):
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
if obj and org_pk and obj.organization.pk != org_pk: if obj and org_pk and obj.organization.pk != org_pk:
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
if not org.accessible_by(self.user, ALL_PERMISSIONS): if self.user not in org.admin_role:
return False return False
if obj.organization is not None: if obj.organization is not None:
return obj.organization.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.organization.admin_role
return False return False
def can_admin(self, obj, data): def can_admin(self, obj, data):
@@ -1234,7 +1225,7 @@ class NotificationAccess(BaseAccess):
qs = self.model.objects.all() qs = self.model.objects.all()
if self.user.is_superuser: if self.user.is_superuser:
return qs return qs
return self.model.objects.filter(notifier__organization__in=Organization.accessible_objects(self.user, ALL_PERMISSIONS)) return self.model.objects.filter(notifier__organization__in=Organization.accessible_objects(self.user, 'admin_role'))
def can_read(self, obj): def can_read(self, obj):
return self.user.can_access(Notifier, 'read', obj.notifier) return self.user.can_access(Notifier, 'read', obj.notifier)
@@ -1252,13 +1243,13 @@ class LabelAccess(BaseAccess):
if self.user.is_superuser: if self.user.is_superuser:
return self.model.objects.all() return self.model.objects.all()
return self.model.objects.filter( return self.model.objects.filter(
organization__in=Organization.accessible_objects(self.user, {'read': True}) organization__in=Organization.accessible_objects(self.user, 'read_role')
) )
def can_read(self, obj): def can_read(self, obj):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.organization.accessible_by(self.user, {'read': True}) return self.user in obj.organization.read_role
def can_add(self, data): def can_add(self, data):
if self.user.is_superuser: if self.user.is_superuser:
@@ -1269,7 +1260,7 @@ class LabelAccess(BaseAccess):
org_pk = get_pk_from_dict(data, 'organization') org_pk = get_pk_from_dict(data, 'organization')
org = get_object_or_400(Organization, pk=org_pk) org = get_object_or_400(Organization, pk=org_pk)
return org.accessible_by(self.user, {'read': True}) return self.user in org.read_role
def can_change(self, obj, data): def can_change(self, obj, data):
if self.user.is_superuser: if self.user.is_superuser:
@@ -1278,7 +1269,7 @@ class LabelAccess(BaseAccess):
if self.can_add(data) is False: if self.can_add(data) is False:
return False return False
return obj.organization.accessible_by(self.user, ALL_PERMISSIONS) return self.user in obj.organization.admin_role
def can_delete(self, obj): def can_delete(self, obj):
return self.can_change(obj, None) return self.can_change(obj, None)
@@ -1369,12 +1360,12 @@ class CustomInventoryScriptAccess(BaseAccess):
def get_queryset(self): def get_queryset(self):
if self.user.is_superuser: if self.user.is_superuser:
return self.model.objects.distinct().all() return self.model.objects.distinct().all()
return self.model.accessible_objects(self.user, {'read':True}).all() return self.model.accessible_objects(self.user, 'read_role').all()
def can_read(self, obj): def can_read(self, obj):
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return obj.accessible_by(self.user, {'read':True}) return self.user in obj.read_role
def can_add(self, data): def can_add(self, data):
if self.user.is_superuser: if self.user.is_superuser:
@@ -1463,7 +1454,7 @@ class RoleAccess(BaseAccess):
return True return True
if obj.object_id and \ if obj.object_id and \
isinstance(obj.content_object, ResourceMixin) and \ isinstance(obj.content_object, ResourceMixin) and \
obj.content_object.accessible_by(self.user, {'write': True}): self.user in obj.content_object.admin_role:
return True return True
return False return False

1
awx/main/models/__init__.py
View File

@@ -43,7 +43,6 @@ from awx.main.access import * # noqa
User.add_to_class('get_queryset', get_user_queryset) User.add_to_class('get_queryset', get_user_queryset)
User.add_to_class('can_access', check_user_access) User.add_to_class('can_access', check_user_access)
User.add_to_class('accessible_by', user_accessible_by)
User.add_to_class('accessible_objects', user_accessible_objects) User.add_to_class('accessible_objects', user_accessible_objects)
User.add_to_class('admin_role', user_admin_role) User.add_to_class('admin_role', user_admin_role)