External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-24 06:26:00 -03:30
Code Issues Packages Projects Releases Wiki Activity

Fix 500 error when ordinary user viewed system JTs (#15465)

Browse Source
This commit is contained in:
Alan Rominger
2024-08-26 11:51:16 -04:00
committed by GitHub
parent 7ed0eee60c
commit f5760b149d
3 changed files with 25 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
awx/main/access.py
View File

@@ -1843,6 +1843,11 @@ class SystemJobTemplateAccess(BaseAccess):
model = SystemJobTemplate
def filtered_queryset(self):
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all()
return self.model.objects.none()
@check_superuser
def can_start(self, obj, validate_license=True):
'''Only a superuser can start a job from a SystemJobTemplate'''

20
awx/main/tests/functional/test_rbac_job.py
View File

@@ -2,7 +2,7 @@ import pytest
from rest_framework.exceptions import PermissionDenied
from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess
from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess, SystemJobTemplateAccess
from awx.main.models import (
Job,
JobLaunchConfig,
@@ -350,3 +350,21 @@ class TestLaunchConfigAccess:
assert access.can_use(config)
assert rando.can_access(JobLaunchConfig, 'use', config)
@pytest.mark.django_db
class TestSystemJobTemplateAccess:
def test_system_job_template_auditor(self, system_auditor, system_job_template):
access = SystemJobTemplateAccess(system_auditor)
assert access.can_read(system_job_template)
assert not access.can_start(system_job_template)
def test_system_job_template_rando(self, rando, system_job_template):
access = SystemJobTemplateAccess(rando)
assert not access.can_read(system_job_template)
assert not access.can_start(system_job_template)
def test_system_job_template_superuser(self, admin_user, system_job_template):
access = SystemJobTemplateAccess(admin_user)
assert access.can_read(system_job_template)
assert access.can_start(system_job_template)

13
awx/main/tests/unit/test_access.py
View File

@@ -5,7 +5,7 @@ from django.contrib.auth.models import User
from django.forms.models import model_to_dict
from rest_framework.exceptions import ParseError
from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, SystemJobTemplateAccess, vars_are_encrypted
from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, vars_are_encrypted
from awx.main.models import (
Credential,
@@ -239,14 +239,3 @@ def test_user_capabilities_method():
foo = object()
foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy'])
assert foo_capabilities == {'edit': 'bar', 'copy': 'foo'}
def test_system_job_template_can_start(mocker):
user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False)
assert user.is_system_auditor
access = SystemJobTemplateAccess(user)
assert not access.can_start(None)
user.is_superuser = True
access = SystemJobTemplateAccess(user)
assert access.can_start(None)