From ee111be2615f99148d6a3298b315986c2aef4022 Mon Sep 17 00:00:00 2001 From: Rebeccah Date: Thu, 10 Dec 2020 12:26:20 -0500 Subject: [PATCH] move away from signals towards the origin of the POST to see if I can impact the data sent within the POST so that it can impact the User model, this may not work because the POST is related only to the Roles model --- awx/api/views/__init__.py | 11 ++++++++--- awx/main/signals.py | 16 +++++++++------- 2 files changed, 17 insertions(+), 10 deletions(-) diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py index 43e845af0c..42edb07333 100644 --- a/awx/api/views/__init__.py +++ b/awx/api/views/__init__.py @@ -1079,7 +1079,7 @@ class UserTeamsList(SubListAPIView): class UserRolesList(SubListAttachDetachAPIView): - + # view of the roles that a user has associated with their id model = models.Role serializer_class = serializers.RoleSerializerWithParentAccess metadata_class = RoleMetadata @@ -1099,6 +1099,7 @@ class UserRolesList(SubListAttachDetachAPIView): ).exclude(content_type=content_type, object_id=u.id) def post(self, request, *args, **kwargs): + ret = super(UserRolesList, self).post(request, *args, **kwargs) sub_id = request.data.get('id', None) if not sub_id: return super(UserRolesList, self).post(request) @@ -1107,6 +1108,7 @@ class UserRolesList(SubListAttachDetachAPIView): role = get_object_or_400(models.Role, pk=sub_id) credential_content_type = ContentType.objects.get_for_model(models.Credential) + if role.content_type == credential_content_type: if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role: data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization")) @@ -1115,7 +1117,10 @@ class UserRolesList(SubListAttachDetachAPIView): if not role.content_object.organization and not request.user.is_superuser: data = dict(msg=_("You cannot grant private credential access to another user")) return Response(data, status=status.HTTP_400_BAD_REQUEST) - + if request.data.get('id', None) == 1: + request.data['role_field'] = "System Administrator" + request.data["is_superuser"] = True + # this won't work because it doesn't impact the user model, which is where `is_superuser` is found and is what needs to be changed return super(UserRolesList, self).post(request, *args, **kwargs) @@ -4359,7 +4364,7 @@ class RoleDetail(RetrieveAPIView): class RoleUsersList(SubListAttachDetachAPIView): - + # view of all the users that are within a role model = models.User serializer_class = serializers.UserSerializer parent_model = models.Role diff --git a/awx/main/signals.py b/awx/main/signals.py index de89411ea2..3ecba41b78 100644 --- a/awx/main/signals.py +++ b/awx/main/signals.py @@ -121,12 +121,14 @@ def sync_superuser_status_to_rbac(instance, **kwargs): Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).members.remove(instance) -def sync_rbac_to_superuser_status(instance, sender, **kwargs): - 'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that' - if kwargs['action'] in ['pre_add', 'pre_remove']: - if hasattr(instance, 'content_type'): - if instance.content_type_id is None and instance.singleton_name == ROLE_SINGLETON_SYSTEM_ADMINISTRATOR and kwargs['model'].is_superuser == False: - User.objects.filter(pk=kwargs['pk_set'].pop()).update(is_superuser = (kwargs['action'] == 'pre_add')) +# def sync_rbac_to_superuser_status(instance, sender, **kwargs): +# 'When the is_superuser flag is false but a user has the System Admin role, update the database to reflect that' +# if kwargs['action'] in ['pre_add', 'pre_remove']: +# if hasattr(instance, 'content_type'): +# import sdb; +# sdb.set_trace() +# if instance.content_type_id is None and instance.singleton_name == ROLE_SINGLETON_SYSTEM_ADMINISTRATOR and kwargs['model'].is_superuser == False: +# User.objects.filter(pk=kwargs['pk_set'].pop()).update(is_superuser = (kwargs['action'] == 'pre_add')) @@ -206,7 +208,7 @@ m2m_changed.connect(rebuild_role_ancestor_list, Role.parents.through) m2m_changed.connect(rbac_activity_stream, Role.members.through) m2m_changed.connect(rbac_activity_stream, Role.parents.through) post_save.connect(sync_superuser_status_to_rbac, sender=User) -m2m_changed.connect(sync_rbac_to_superuser_status, Role.members.through) +#m2m_changed.connect(sync_rbac_to_superuser_status, Role.members.through) pre_delete.connect(cleanup_detached_labels_on_deleted_parent, sender=UnifiedJob) pre_delete.connect(cleanup_detached_labels_on_deleted_parent, sender=UnifiedJobTemplate)