correctly check credential permission on WFJT copy

2026-03-07 11:41:08 -03:30 · 2018-05-02 14:53:05 -04:00
parent 1d6b15a6a7
commit ec1e94376c
4 changed files with 15 additions and 3 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3702,12 +3702,18 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, CopyAPIView):
                item = getattr(obj, field_name, None)
                if item is None:
                    continue
-                if field_name in ['inventory']:
+                elif field_name in ['inventory']:
                    if not user.can_access(item.__class__, 'use', item):
                        setattr(obj, field_name, None)
-                if field_name in ['unified_job_template']:
+                elif field_name in ['unified_job_template']:
                    if not user.can_access(item.__class__, 'start', item, validate_license=False):
                        setattr(obj, field_name, None)
+                elif field_name in ['credentials']:
+                    for cred in item.all():
+                        if not user.can_access(cred.__class__, 'use', cred):
+                            logger.debug(six.text_type(
+                                'Deep copy: removing {} from relationship due to permissions').format(cred))
+                            item.remove(cred.pk)
            obj.save()