External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-21 19:07:39 -02:30
Code Issues Packages Projects Releases Wiki Activity

check oauth_scopes in _every_ view

Browse Source 
see: https://github.com/ansible/tower/issues/2759
This commit is contained in:
Ryan Petrello
2018-08-06 09:43:58 -04:00
parent fc589389fc
commit ec735b7b47
2 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
awx/api/generics.py
View File

@@ -327,6 +327,12 @@ class APIView(views.APIView):
kwargs.pop('version') kwargs.pop('version')
return super(APIView, self).dispatch(request, *args, **kwargs) return super(APIView, self).dispatch(request, *args, **kwargs)
def check_permissions(self, request):
if request.method not in ('GET', 'OPTIONS', 'HEAD'):
if 'write' not in getattr(request.user, 'oauth_scopes', ['write']):
raise PermissionDenied()
return super(APIView, self).check_permissions(request)
class GenericAPIView(generics.GenericAPIView, APIView): class GenericAPIView(generics.GenericAPIView, APIView):
# Base class for all model-based views. # Base class for all model-based views.

2
awx/main/access.py
View File

@@ -98,8 +98,6 @@ def check_user_access(user, model_class, action, *args, **kwargs):
Return True if user can perform action against model_class with the Return True if user can perform action against model_class with the
provided parameters. provided parameters.
''' '''
if 'write' not in getattr(user, 'oauth_scopes', ['write']) and action != 'read':
return False
access_class = access_registry[model_class] access_class = access_registry[model_class]
access_instance = access_class(user) access_instance = access_class(user)
access_method = getattr(access_instance, 'can_%s' % action) access_method = getattr(access_instance, 'can_%s' % action)