External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-03-16 00:17:29 -02:30
Code Issues Packages Projects Releases Wiki Activity

Updates to permissions checks (and tests), add logging around permission checks, permission-related fixes to support browsable API, work in progress on job templates API, added default logging settings.

Browse Source
This commit is contained in:
Chris Church
2013-05-01 14:10:42 -04:00
parent b6e7d964c2
commit ef92fe3960
11 changed files with 320 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
TODO.md
View File

@@ -5,9 +5,6 @@ CC TODO
======= =======
* supervisord to start celery, modify ansible playbook to set up supervisord <- ChrisC * supervisord to start celery, modify ansible playbook to set up supervisord <- ChrisC
* documentation on how to run with callbacks from NOT a launchjob <-- ChrisC * documentation on how to run with callbacks from NOT a launchjob <-- ChrisC
* interactive SSH agent support for launch jobs/creds <-- ChrisC
* michael to modify ansible to accept ssh password and sudo password from env vars
* way to send cntrl-c to kill job (method on job?) <-- ChrisC, low priority
* default_playbook should be relative to scm_repository and not allow "../" out of the directory * default_playbook should be relative to scm_repository and not allow "../" out of the directory
* do we need something other than default playbook (ProjectOptions) <-- MPD later * do we need something other than default playbook (ProjectOptions) <-- MPD later

39
lib/main/base_views.py
View File

@@ -20,7 +20,7 @@ from lib.main.models import *
from django.contrib.auth.models import User from django.contrib.auth.models import User
from lib.main.serializers import * from lib.main.serializers import *
from lib.main.rbac import * from lib.main.rbac import *
from django.core.exceptions import PermissionDenied from rest_framework.exceptions import PermissionDenied
from rest_framework import mixins from rest_framework import mixins
from rest_framework import generics from rest_framework import generics
from rest_framework import permissions from rest_framework import permissions
@@ -36,20 +36,21 @@ class BaseList(generics.ListCreateAPIView):
def list_permissions_check(self, request, obj=None): def list_permissions_check(self, request, obj=None):
''' determines some early yes/no access decisions, pre-filtering ''' ''' determines some early yes/no access decisions, pre-filtering '''
if request.method == 'GET': #print '---', request.method, getattr(request, '_method', None)
return True if request.method in ('OPTIONS', 'HEAD', 'GET'):
return True
if request.method == 'POST': if request.method == 'POST':
if self.__class__.model in [ User ]: if self.__class__.model in [ User ]:
ok = request.user.is_superuser or (request.user.admin_of_organizations.count() > 0) ok = request.user.is_superuser or (request.user.admin_of_organizations.count() > 0)
if not ok: if not ok:
raise PermissionDenied() raise PermissionDenied()
return True return True
else: else:
# audit all of these to check ownership/readability of subobjects # audit all of these to check ownership/readability of subobjects
if not self.__class__.model.can_user_add(request.user, self.request.DATA): if not self.__class__.model.can_user_add(request.user, self.request.DATA):
raise PermissionDenied() raise PermissionDenied()
return True return True
raise exceptions.NotImplementedError return False#raise exceptions.NotImplementedError
def get_queryset(self): def get_queryset(self):
@@ -78,8 +79,8 @@ class BaseSubList(BaseList):
def list_permissions_check(self, request, obj=None): def list_permissions_check(self, request, obj=None):
''' determines some early yes/no access decisions, pre-filtering ''' ''' determines some early yes/no access decisions, pre-filtering '''
if request.method == 'GET': if request.method in ('OPTIONS', 'HEAD', 'GET'):
return True return True
if request.method == 'POST': if request.method == 'POST':
# the can_user_attach methods will be called below # the can_user_attach methods will be called below
return True return True
@@ -171,14 +172,10 @@ class BaseSubList(BaseList):
if self.__class__.parent_model == Organization: if self.__class__.parent_model == Organization:
organization = Organization.objects.get(pk=request.DATA[inject_primary_key]) organization = Organization.objects.get(pk=request.DATA[inject_primary_key])
import lib.main.views import lib.main.views
if self.__class__ == lib.main.views.OrganizationsUsersList: if self.__class__ == lib.main.views.OrganizationsUsersList:
organization.users.add(obj) organization.users.add(obj)
organization.save()
elif self.__class__ == lib.main.views.OrganizationsAdminsList: elif self.__class__ == lib.main.views.OrganizationsAdminsList:
organization.admins.add(obj) organization.admins.add(obj)
organization.save()
else: else:
if not UserHelper.can_user_read(request.user, obj): if not UserHelper.can_user_read(request.user, obj):

7
lib/main/models/__init__.py
View File

@@ -904,6 +904,11 @@ class JobTemplate(CommonModel):
) )
return cls.can_user_add(user, data) return cls.can_user_add(user, data)
@classmethod
def can_user_administrate(cls, user, obj, data):
'''
'''
@classmethod @classmethod
def can_user_add(cls, user, data): def can_user_add(cls, user, data):
''' '''
@@ -916,6 +921,8 @@ class JobTemplate(CommonModel):
if user.is_superuser: if user.is_superuser:
return True return True
if not data or '_method' in data: # FIXME: So the browseable API will work?
return True
project = Project.objects.get(pk=data['project']) project = Project.objects.get(pk=data['project'])
inventory = Inventory.objects.get(pk=data['inventory']) inventory = Inventory.objects.get(pk=data['inventory'])

76
lib/main/rbac.py
View File

@@ -15,58 +15,60 @@
# along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>. # along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>.
from lib.main.models import * import logging
from lib.main.serializers import *
from rest_framework import permissions
from django.contrib.auth.models import AnonymousUser
from django.core.exceptions import PermissionDenied
from django.http import Http404 from django.http import Http404
from rest_framework.exceptions import PermissionDenied
from rest_framework import permissions
logger = logging.getLogger('lib.main.rbac')
# FIXME: this will probably need to be subclassed by object type # FIXME: this will probably need to be subclassed by object type
class CustomRbac(permissions.BasePermission): class CustomRbac(permissions.BasePermission):
def _common_user_check(self, request): def _check_permissions(self, request, view, obj=None):
# no anonymous users # Check that obj (if given) is active, otherwise raise a 404.
if request.user.is_anonymous(): active = getattr(obj, 'active', getattr(obj, 'is_active', True))
# 401, not 403, hence no raised exception if callable(active):
active = active()
if not active:
raise Http404()
# Don't allow anonymous users. 401, not 403, hence no raised exception.
if not request.user or request.user.is_anonymous():
return False return False
# superusers are always good # Don't allow inactive users (and respond with a 403).
if request.user.is_superuser:
return True
# other users must have associated acom user records & be active
if not request.user.is_active: if not request.user.is_active:
raise PermissionDenied() raise PermissionDenied()
return True # Always allow superusers (as long as they are active).
if request.user.is_superuser:
def has_permission(self, request, view, obj=None): return True
if not self._common_user_check(request): # If no obj is given, check list permissions.
return False
if obj is None: if obj is None:
if getattr(view, 'list_permissions_check', None): if getattr(view, 'list_permissions_check', None):
if request.user.is_superuser:
return True
if not view.list_permissions_check(request): if not view.list_permissions_check(request):
raise PermissionDenied() raise PermissionDenied()
elif not getattr(view, 'item_permissions_check', None): elif not getattr(view, 'item_permissions_check', None):
raise Exception("internal error, list_permissions_check or item_permissions_check must be defined") raise Exception('internal error, list_permissions_check or '
'item_permissions_check must be defined')
return True return True
# Otherwise, check the item permissions for the given obj.
else: else:
# haven't tested around these confines yet if not view.item_permissions_check(request, obj):
raise Exception("did not expect to get to this position") raise PermissionDenied()
return True
def has_permission(self, request, view, obj=None):
logger.debug('has_permission(user=%s method=%s data=%r, %s, %r)',
request.user, request.method, request.DATA,
view.__class__.__name__, obj)
try:
response = self._check_permissions(request, view, obj)
except Exception, e:
logger.debug('has_permission raised %r', e, exc_info=True)
raise
else:
logger.debug('has_permission returned %r', response)
return response
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if isinstance(obj, User): return self.has_permission(request, view, obj)
if not obj.is_active:
raise Http404()
else:
if not obj.active:
raise Http404()
if request.user.is_superuser:
return True
if not self._common_user_check(request):
return False
if not view.item_permissions_check(request, obj):
raise PermissionDenied()
return True

3
lib/main/serializers.py
View File

@@ -304,6 +304,9 @@ class JobTemplateSerializer(BaseSerializer):
def get_related(self, obj): def get_related(self, obj):
# FIXME: fill in once further defined. related resources, credential, project, inventory, etc # FIXME: fill in once further defined. related resources, credential, project, inventory, etc
res = dict( res = dict(
credential = reverse('main:credentials_detail', args=(obj.credential.pk,)),
project = reverse('main:projects_detail', args=(obj.project.pk,)),
inventory = reverse('main:inventory_detail', args=(obj.inventory.pk,)),
) )
if obj.created_by: if obj.created_by:
res['created_by'] = reverse('main:users_detail', args=(obj.created_by.pk,)) res['created_by'] = reverse('main:users_detail', args=(obj.created_by.pk,))

2
lib/main/tests/__init__.py
View File

@@ -20,5 +20,5 @@ from lib.main.tests.inventory import InventoryTest
from lib.main.tests.projects import ProjectsTest from lib.main.tests.projects import ProjectsTest
from lib.main.tests.commands import * from lib.main.tests.commands import *
from lib.main.tests.tasks import RunJobTest from lib.main.tests.tasks import RunJobTest
from lib.main.tests.jobs import JobsTest # similar to above, but mostly focused on REST API from lib.main.tests.jobs import *

50
lib/main/tests/base.py
View File

@@ -14,6 +14,7 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>. # along with Ansible Commander. If not, see <http://www.gnu.org/licenses/>.
import contextlib
import datetime import datetime
import json import json
import os import os
@@ -21,7 +22,7 @@ import shutil
import tempfile import tempfile
from django.conf import settings from django.conf import settings
from django.contrib.auth.models import User as DjangoUser from django.contrib.auth.models import User
import django.test import django.test
from django.test.client import Client from django.test.client import Client
from lib.main.models import * from lib.main.models import *
@@ -36,6 +37,8 @@ class BaseTestMixin(object):
super(BaseTestMixin, self).setUp() super(BaseTestMixin, self).setUp()
self.object_ctr = 0 self.object_ctr = 0
self._temp_project_dirs = [] self._temp_project_dirs = []
self._current_auth = None
self._user_passwords = {}
def tearDown(self): def tearDown(self):
super(BaseTestMixin, self).tearDown() super(BaseTestMixin, self).tearDown()
@@ -43,14 +46,30 @@ class BaseTestMixin(object):
if os.path.exists(project_dir): if os.path.exists(project_dir):
shutil.rmtree(project_dir, True) shutil.rmtree(project_dir, True)
def make_user(self, username, password, super_user=False): def make_user(self, username, password=None, super_user=False):
django_user = None user = None
password = password or username
if super_user: if super_user:
django_user = DjangoUser.objects.create_superuser(username, "%s@example.com", password) user = User.objects.create_superuser(username, "%s@example.com", password)
else: else:
django_user = DjangoUser.objects.create_user(username, "%s@example.com", password) user = User.objects.create_user(username, "%s@example.com", password)
self.assertTrue(django_user.auth_token) self.assertTrue(user.auth_token)
return django_user self._user_passwords[user.username] = password
return user
@contextlib.contextmanager
def current_user(self, user_or_username, password=None):
try:
if isinstance(user_or_username, User):
username = user_or_username.username
else:
username = user_or_username
password = password or self._user_passwords.get(username)
previous_auth = self._current_auth
self._current_auth = (username, password)
yield
finally:
self._current_auth = previous_auth
def make_organizations(self, created_by, count=1): def make_organizations(self, created_by, count=1):
results = [] results = []
@@ -121,16 +140,17 @@ class BaseTestMixin(object):
def _generic_rest(self, url, data=None, expect=204, auth=None, method=None): def _generic_rest(self, url, data=None, expect=204, auth=None, method=None):
assert method is not None assert method is not None
method = method.lower() method_name = method.lower()
if method not in [ 'get', 'delete' ]: if method_name not in ('options', 'head', 'get', 'delete'):
assert data is not None assert data is not None
client = Client() client = Client()
auth = auth or self._current_auth
if auth: if auth:
if isinstance(auth, (list, tuple)): if isinstance(auth, (list, tuple)):
client.login(username=auth[0], password=auth[1]) client.login(username=auth[0], password=auth[1])
elif isinstance(auth, basestring): elif isinstance(auth, basestring):
client = Client(HTTP_AUTHORIZATION='Token %s' % auth) client = Client(HTTP_AUTHORIZATION='Token %s' % auth)
method = getattr(client,method) method = getattr(client, method_name)
response = None response = None
if data is not None: if data is not None:
response = method(url, json.dumps(data), 'application/json') response = method(url, json.dumps(data), 'application/json')
@@ -141,12 +161,20 @@ class BaseTestMixin(object):
assert False, "Failed: %s" % response.content assert False, "Failed: %s" % response.content
if expect is not None: if expect is not None:
assert response.status_code == expect, "expected status %s, got %s for url=%s as auth=%s: %s" % (expect, response.status_code, url, auth, response.content) assert response.status_code == expect, "expected status %s, got %s for url=%s as auth=%s: %s" % (expect, response.status_code, url, auth, response.content)
if response.status_code not in [ 202, 204, 400, 405, 409 ]: if method_name == 'head':
self.assertFalse(response.content)
if response.status_code not in [ 202, 204, 400, 405, 409 ] and method_name != 'head':
# no JSON responses in these at least for now, 400/409 should probably return some (FIXME) # no JSON responses in these at least for now, 400/409 should probably return some (FIXME)
return json.loads(response.content) return json.loads(response.content)
else: else:
return None return None
def options(self, url, expect=200, auth=None):
return self._generic_rest(url, data=None, expect=expect, auth=auth, method='options')
def head(self, url, expect=200, auth=None):
return self._generic_rest(url, data=None, expect=expect, auth=auth, method='head')
def get(self, url, expect=200, auth=None): def get(self, url, expect=200, auth=None):
return self._generic_rest(url, data=None, expect=expect, auth=auth, method='get') return self._generic_rest(url, data=None, expect=expect, auth=auth, method='get')

216
lib/main/tests/jobs.py
View File

@@ -16,18 +16,23 @@
import datetime import datetime
import json import json
from django.contrib.auth.models import User as DjangoUser from django.contrib.auth.models import User as DjangoUser
import django.test from django.core.urlresolvers import reverse
from django.test.client import Client from django.test.client import Client
from lib.main.models import * from lib.main.models import *
from lib.main.tests.base import BaseTest from lib.main.tests.base import BaseTest
class JobsTest(BaseTest): __all__ = ['JobTemplateTest', 'JobTest']
def collection(self): TEST_PLAYBOOK = '''- hosts: mygroup
# not really used gather_facts: false
return '/api/v1/job_templates/' tasks:
- name: woohoo
command: test 1 = 1
'''
class BaseJobTest(BaseTest):
''''''
def get_other2_credentials(self): def get_other2_credentials(self):
return ('other2', 'other2') return ('other2', 'other2')
@@ -36,45 +41,66 @@ class JobsTest(BaseTest):
return ('nobody', 'nobody') return ('nobody', 'nobody')
def setUp(self): def setUp(self):
super(JobsTest, self).setUp() super(BaseJobTest, self).setUp()
# Users
self.setup_users() self.setup_users()
self.other2_django_user = self.make_user('other2', 'other2')
self.nobody_django_user = self.make_user('nobody', 'nobody')
self.other2_django_user = User.objects.create(username='other2') # Organization
self.other2_django_user.set_password('other2')
self.other2_django_user.save()
self.nobody_django_user = User.objects.create(username='nobody')
self.nobody_django_user.set_password('nobody')
self.nobody_django_user.save()
self.organization = Organization.objects.create( self.organization = Organization.objects.create(
name = 'engineering', name='engineering',
created_by = self.normal_django_user created_by=self.normal_django_user,
) )
self.organization.admins.add(self.normal_django_user)
self.organization.users.add(self.normal_django_user)
self.organization.users.add(self.other_django_user)
self.organization.users.add(self.other2_django_user)
self.inventory = Inventory.objects.create( # Team
name = 'prod', self.team = self.organization.teams.create(
organization = self.organization, name='Tigger',
created_by = self.normal_django_user created_by=self.normal_django_user,
) )
self.group_a = Group.objects.create(
name = 'group1',
inventory = self.inventory,
created_by = self.normal_django_user
)
self.team = Team.objects.create(
name = 'Tigger',
created_by = self.normal_django_user
)
self.team.users.add(self.other_django_user) self.team.users.add(self.other_django_user)
self.team.users.add(self.other2_django_user) self.team.users.add(self.other2_django_user)
# Project
self.project = self.make_projects(self.normal_django_user, 1, self.project = self.make_projects(self.normal_django_user, 1,
playbook_content='')[0] playbook_content=TEST_PLAYBOOK)[0]
self.organization.projects.add(self.project) self.organization.projects.add(self.project)
# Inventory
self.inventory = self.organization.inventories.create(
name = 'prod',
created_by = self.normal_django_user,
)
self.group_a = self.inventory.groups.create(
name = 'group1',
created_by = self.normal_django_user
)
self.host_a = self.inventory.hosts.create(
name = '127.0.0.1',
created_by = self.normal_django_user
)
self.host_b = self.inventory.hosts.create(
name = '127.0.0.2',
created_by = self.normal_django_user
)
self.group_a.hosts.add(self.host_a)
self.group_a.hosts.add(self.host_b)
# Credentials
self.user_credential = self.other_django_user.credentials.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
)
self.team_credential = self.team.credentials.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
)
# other django user is on the project team and can deploy # other django user is on the project team and can deploy
self.permission1 = Permission.objects.create( self.permission1 = Permission.objects.create(
inventory = self.inventory, inventory = self.inventory,
@@ -83,7 +109,6 @@ class JobsTest(BaseTest):
permission_type = PERM_INVENTORY_DEPLOY, permission_type = PERM_INVENTORY_DEPLOY,
created_by = self.normal_django_user created_by = self.normal_django_user
) )
# individual permission granted to other2 user, can run check mode # individual permission granted to other2 user, can run check mode
self.permission2 = Permission.objects.create( self.permission2 = Permission.objects.create(
inventory = self.inventory, inventory = self.inventory,
@@ -93,58 +118,105 @@ class JobsTest(BaseTest):
created_by = self.normal_django_user created_by = self.normal_django_user
) )
self.host_a = Host.objects.create( self.job_template1 = JobTemplate.objects.create(
name = '127.0.0.1',
inventory = self.inventory,
created_by = self.normal_django_user
)
self.host_b = Host.objects.create(
name = '127.0.0.2',
inventory = self.inventory,
created_by = self.normal_django_user
)
self.group_a.hosts.add(self.host_a)
self.group_a.hosts.add(self.host_b)
self.group_a.save()
self.credential = Credential.objects.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
user = self.other_django_user
)
self.credential2 = Credential.objects.create(
ssh_key_data = 'xxx',
created_by = self.normal_django_user,
team = self.team,
)
self.organization.projects.add(self.project)
self.organization.admins.add(self.normal_django_user)
self.organization.users.add(self.normal_django_user)
self.organization.save()
self.template1 = JobTemplate.objects.create(
name = 'job-run', name = 'job-run',
job_type = 'run', job_type = 'run',
inventory = self.inventory, inventory = self.inventory,
credential = self.credential, credential = self.user_credential,
project = self.project, project = self.project,
created_by = self.normal_django_user,
) )
self.template2 = JobTemplate.objects.create( self.job_template2 = JobTemplate.objects.create(
name = 'job-check', name = 'job-check',
job_type = 'check', job_type = 'check',
inventory = self.inventory, inventory = self.inventory,
credential = self.credential, credential = self.team_credential,
project = self.project, project = self.project,
created_by = self.normal_django_user,
) )
class JobTemplateTest(BaseJobTest):
def setUp(self):
super(JobTemplateTest, self).setUp()
def test_job_template_list(self):
url = reverse('main:job_templates_list')
response = self.get(url, expect=401)
with self.current_user(self.normal_django_user):
response = self.get(url, expect=200)
self.assertTrue(response['count'], JobTemplate.objects.count())
# FIXME: Test that user can only see job templates from own organization.
# org admin can add job template
data = dict(
name = 'job-foo',
credential = self.user_credential.pk,
inventory = self.inventory.pk,
project = self.project.pk,
job_type = PERM_INVENTORY_DEPLOY,
)
with self.current_user(self.normal_django_user):
response = self.post(url, data, expect=201)
detail_url = reverse('main:job_templates_detail',
args=(response['id'],))
self.assertEquals(response['url'], detail_url)
# other_django_user is on a team that can deploy, so can create both
# deploy and check type job templates
with self.current_user(self.other_django_user):
data['name'] = 'job-foo2'
response = self.post(url, data, expect=201)
data['name'] = 'job-foo3'
data['job_type'] = PERM_INVENTORY_CHECK
response = self.post(url, data, expect=201)
# other2_django_user has individual permissions to run check mode,
# but not deploy
with self.current_user(self.other2_django_user):
data['name'] = 'job-foo4'
#data['credential'] = self.user_credential.pk
#response = self.post(url, data, expect=201)
data['name'] = 'job-foo5'
data['job_type'] = PERM_INVENTORY_DEPLOY
response = self.post(url, data, expect=403)
# nobody user can't even run check mode
with self.current_user(self.nobody_django_user):
data['name'] = 'job-foo5'
data['job_type'] = PERM_INVENTORY_CHECK
response = self.post(url, data, expect=403)
data['job_type'] = PERM_INVENTORY_DEPLOY
response = self.post(url, data, expect=403)
def test_job_template_detail(self):
return # FIXME
# verify we can also get the job template record
got = self.get(url, expect=200, auth=self.get_other2_credentials())
self.failUnlessEqual(got['url'], '/api/v1/job_templates/6/')
# TODO: add more tests that show
# the method used to START a JobTemplate follow the exact same permissions as those to create it ...
# and that jobs come back nicely serialized with related resources and so on ...
# that we can drill all the way down and can get at host failure lists, etc ...
class JobTest(BaseJobTest):
def setUp(self):
super(JobTest, self).setUp()
def test_mainline(self): def test_mainline(self):
return # FIXME
# job templates # job templates
data = self.get('/api/v1/job_templates/', expect=401) data = self.get('/api/v1/job_templates/', expect=401)
data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials()) data = self.get('/api/v1/job_templates/', expect=200, auth=self.get_normal_credentials())

20
lib/main/tests/organizations.py
View File

@@ -18,6 +18,7 @@ import datetime
import json import json
from django.contrib.auth.models import User as DjangoUser from django.contrib.auth.models import User as DjangoUser
from django.core.urlresolvers import reverse
import django.test import django.test
from django.test.client import Client from django.test.client import Client
from lib.main.models import * from lib.main.models import *
@@ -64,17 +65,26 @@ class OrganizationsTest(BaseTest):
self.organizations[1].admins.add(self.normal_django_user) self.organizations[1].admins.add(self.normal_django_user)
def test_get_list(self): def test_get_list(self):
url = reverse('main:organizations_list')
# no credentials == 401 # no credentials == 401
self.get(self.collection(), expect=401) self.options(url, expect=401)
self.head(url, expect=401)
self.get(url, expect=401)
# wrong credentials == 401 # wrong credentials == 401
self.get(self.collection(), expect=401, auth=self.get_invalid_credentials()) with self.current_user(self.get_invalid_credentials()):
self.options(url, expect=401)
self.head(url, expect=401)
self.get(url, expect=401)
# superuser credentials == 200, full list # superuser credentials == 200, full list
data = self.get(self.collection(), expect=200, auth=self.get_super_credentials()) with self.current_user(self.super_django_user):
self.check_pagination_and_size(data, 10, previous=None, next=None) self.options(url, expect=200)
[self.assertTrue(key in data['results'][0]) for key in ['name', 'description', 'url', 'creation_date', 'id' ]] self.head(url, expect=200)
data = self.get(url, expect=200)
self.check_pagination_and_size(data, 10, previous=None, next=None)
[self.assertTrue(key in data['results'][0]) for key in ['name', 'description', 'url', 'creation_date', 'id' ]]
# check that the related URL functionality works # check that the related URL functionality works
related = data['results'][0]['related'] related = data['results'][0]['related']

4
lib/main/views.py
View File

@@ -20,8 +20,8 @@ from lib.main.models import *
from django.contrib.auth.models import User from django.contrib.auth.models import User
from lib.main.serializers import * from lib.main.serializers import *
from lib.main.rbac import * from lib.main.rbac import *
from django.core.exceptions import PermissionDenied
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from rest_framework.exceptions import PermissionDenied
from rest_framework import mixins from rest_framework import mixins
from rest_framework import generics from rest_framework import generics
from rest_framework import permissions from rest_framework import permissions
@@ -266,7 +266,7 @@ class TeamsList(BaseList):
if self.request.user.is_superuser: if self.request.user.is_superuser:
return base.all() return base.all()
return base.filter( return base.filter(
admins__in = [ self.request.user ] organization__admins__in = [ self.request.user ]
).distinct() | base.filter( ).distinct() | base.filter(
users__in = [ self.request.user ] users__in = [ self.request.user ]
).distinct() ).distinct()

51
lib/settings/defaults.py
View File

@@ -187,3 +187,54 @@ CELERYD_TASK_TIME_LIMIT = 3600
CELERYD_TASK_SOFT_TIME_LIMIT = 3540 CELERYD_TASK_SOFT_TIME_LIMIT = 3540
CELERYBEAT_SCHEDULER = 'djcelery.schedulers.DatabaseScheduler' CELERYBEAT_SCHEDULER = 'djcelery.schedulers.DatabaseScheduler'
CELERYBEAT_MAX_LOOP_INTERVAL = 60 CELERYBEAT_MAX_LOOP_INTERVAL = 60
LOGGING = {
'version': 1,
'disable_existing_loggers': False,
'filters': {
'require_debug_false': {
'()': 'django.utils.log.RequireDebugFalse',
},
'require_debug_true': {
'()': 'django.utils.log.RequireDebugTrue',
},
},
'handlers': {
'console': {
'level': 'DEBUG',
#'filters': ['require_debug_true'],
'class': 'logging.StreamHandler',
},
'null': {
'class': 'django.utils.log.NullHandler',
},
'mail_admins': {
'level': 'ERROR',
'filters': ['require_debug_false'],
'class': 'django.utils.log.AdminEmailHandler'
}
},
'loggers': {
'django': {
'handlers': ['console'],
},
'django.request': {
'handlers': ['mail_admins'],
'level': 'ERROR',
'propagate': False,
},
'py.warnings': {
'handlers': ['console'],
},
'lib.main': {
'handlers': ['console'],
'level': 'DEBUG',
'filters': []
},
'lib.main.rbac': {
'handlers': ['null'],
# Comment the line below to show lots of permissions logging.
'propagate': False,
},
}
}