Merge pull request #273 from chrismeyersfsu/fix-job_launch_credential_permissions

restrict the set of valid, explicitly supplied credentials to be ones readable by the user
2026-02-18 11:40:05 -03:30 · 2015-06-10 08:37:25 -04:00
parent ca59314f87 df57f45baa
commit f06c7e17f5
2 changed files with 11 additions and 0 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1755,6 +1755,10 @@ class JobTemplateLaunch(RetrieveAPIView, GenericAPIView):
        if not serializer.is_valid():
            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)

+        # At this point, a credential is gauranteed to exist at serializer.object.credential
+        if not request.user.can_access(Credential, 'read', serializer.object.credential):
+            raise PermissionDenied()
+
        kv = {
            'credential': serializer.object.credential.pk,
        }