From ef8eb712c6f7ad129a03fc5d2c6c4f72f166d55a Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 28 Apr 2016 15:15:26 -0400 Subject: [PATCH] added tests to assert team roles attach/unattach permissions, removed previous flawed fix --- awx/api/views.py | 4 ---- awx/main/tests/functional/test_rbac_team.py | 19 +++++++++++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/awx/api/views.py b/awx/api/views.py index 0c7164a622..667df86e63 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -836,10 +836,6 @@ class TeamRolesList(SubListCreateAttachDetachAPIView): def post(self, request, *args, **kwargs): # Forbid implicit role creation here - team = get_object_or_404(Team, pk=self.kwargs['pk']) - if not self.request.user.can_access(Team, 'change', team): - raise PermissionDenied() - sub_id = request.data.get('id', None) if not sub_id: data = dict(msg='Role "id" field is missing') diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py index 3961cb837a..d4f03f0cfc 100644 --- a/awx/main/tests/functional/test_rbac_team.py +++ b/awx/main/tests/functional/test_rbac_team.py @@ -3,6 +3,25 @@ import pytest from awx.main.access import TeamAccess from awx.main.models import Project + +@pytest.mark.django_db +def test_team_attach_unattach(team, user): + u = user('member', False) + access = TeamAccess(u) + + team.member_role.members.add(u) + assert not access.can_attach(team, u.admin_role, 'member_role.children', None) + assert not access.can_unattach(team, u.admin_role, 'member_role.children') + + team.admin_role.members.add(u) + assert access.can_attach(team, u.admin_role, 'member_role.children', None) + assert access.can_unattach(team, u.admin_role, 'member_role.children') + + u2 = user('non-member', False) + access = TeamAccess(u2) + assert not access.can_attach(team, u2.admin_role, 'member_role.children', None) + assert not access.can_unattach(team, u2.admin_role, 'member_role.chidlren') + @pytest.mark.django_db def test_team_access_superuser(team, user): team.member_role.members.add(user('member', False))