Add complete test that we have analogs to old versions of roles, fix some mismatches (#15321)

* Add test that we got all permissions right for every role * Fix missing Org execute role and missing adhoc role permission * Add in missing Organization Approval Role as well * Remove Role from role names
2026-05-22 08:17:39 -02:30 · 2024-07-03 15:40:55 -04:00
parent 00ba1ea569
commit ee251812b5
2 changed files with 77 additions and 14 deletions
--- a/awx/main/migrations/_dab_rbac.py
+++ b/awx/main/migrations/_dab_rbac.py
@@ -277,7 +277,6 @@ def setup_managed_role_definitions(apps, schema_editor):
    to_create = {
        'object_admin': '{cls.__name__} Admin',
        'org_admin': 'Organization Admin',
-        'org_audit': 'Organization Audit',
        'org_children': 'Organization {cls.__name__} Admin',
        'special': '{cls.__name__} {action}',
    }
@@ -334,12 +333,19 @@ def setup_managed_role_definitions(apps, schema_editor):
            for perm in special_perms:
                action = perm.codename.split('_')[0]
                view_perm = Permission.objects.get(content_type=ct, codename__startswith='view_')
+                perm_list = [perm, view_perm]
+                # Handle special-case where adhoc role also listed use permission
+                if action == 'adhoc':
+                    for other_perm in object_perms:
+                        if other_perm.codename == 'use_inventory':
+                            perm_list.append(other_perm)
+                            break
                managed_role_definitions.append(
                    get_or_create_managed(
                        to_create['special'].format(cls=cls, action=action.title()),
                        f'Has {action} permissions to a single {cls._meta.verbose_name}',
                        ct,
-                        [perm, view_perm],
+                        perm_list,
                        RoleDefinition,
                    )
                )
@@ -355,18 +361,40 @@ def setup_managed_role_definitions(apps, schema_editor):
            )
        )

-    if 'org_audit' in to_create:
-        audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]
-        audit_permissions.append(Permission.objects.get(codename='audit_organization'))
-        managed_role_definitions.append(
-            get_or_create_managed(
-                to_create['org_audit'].format(cls=Organization),
-                'Has permission to view all objects inside of a single organization',
-                org_ct,
-                audit_permissions,
-                RoleDefinition,
-            )
+    # Special "organization action" roles
+    audit_permissions = [perm for perm in org_perms if perm.codename.startswith('view_')]
+    audit_permissions.append(Permission.objects.get(codename='audit_organization'))
+    managed_role_definitions.append(
+        get_or_create_managed(
+            'Organization Audit',
+            'Has permission to view all objects inside of a single organization',
+            org_ct,
+            audit_permissions,
+            RoleDefinition,
        )
+    )
+
+    org_execute_permissions = {'view_jobtemplate', 'execute_jobtemplate', 'view_workflowjobtemplate', 'execute_workflowjobtemplate', 'view_organization'}
+    managed_role_definitions.append(
+        get_or_create_managed(
+            'Organization Execute',
+            'Has permission to execute all runnable objects in the organization',
+            org_ct,
+            [perm for perm in org_perms if perm.codename in org_execute_permissions],
+            RoleDefinition,
+        )
+    )
+
+    org_approval_permissions = {'view_organization', 'view_workflowjobtemplate', 'approve_workflowjobtemplate'}
+    managed_role_definitions.append(
+        get_or_create_managed(
+            'Organization Approval',
+            'Has permission to approve any workflow steps within a single organization',
+            org_ct,
+            [perm for perm in org_perms if perm.codename in org_approval_permissions],
+            RoleDefinition,
+        )
+    )

    unexpected_role_definitions = RoleDefinition.objects.filter(managed=True).exclude(pk__in=[rd.pk for rd in managed_role_definitions])
    for role_definition in unexpected_role_definitions: