check oauth_scopes in _every_ view

see: https://github.com/ansible/tower/issues/2759
2026-01-13 19:10:07 -03:30 · 2018-08-06 09:43:58 -04:00 · 2018-08-06 09:43:58 -04:00 · ec735b7b47
commit ec735b7b47
parent fc589389fc
2 changed files with 6 additions and 2 deletions
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@ -327,6 +327,12 @@ class APIView(views.APIView):
                kwargs.pop('version')
        return super(APIView, self).dispatch(request, *args, **kwargs)

+    def check_permissions(self, request):
+        if request.method not in ('GET', 'OPTIONS', 'HEAD'):
+            if 'write' not in getattr(request.user, 'oauth_scopes', ['write']):
+                raise PermissionDenied()
+        return super(APIView, self).check_permissions(request)
+

 class GenericAPIView(generics.GenericAPIView, APIView):
    # Base class for all model-based views.
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -98,8 +98,6 @@ def check_user_access(user, model_class, action, *args, **kwargs):
    Return True if user can perform action against model_class with the
    provided parameters.
    '''
-    if 'write' not in getattr(user, 'oauth_scopes', ['write']) and action != 'read':
-        return False
    access_class = access_registry[model_class]
    access_instance = access_class(user)
    access_method = getattr(access_instance, 'can_%s' % action)