From f5760b149df716bad0d5fc072c7445ab7765c5b5 Mon Sep 17 00:00:00 2001 From: Alan Rominger Date: Mon, 26 Aug 2024 11:51:16 -0400 Subject: [PATCH] Fix 500 error when ordinary user viewed system JTs (#15465) --- awx/main/access.py | 5 +++++ awx/main/tests/functional/test_rbac_job.py | 20 +++++++++++++++++++- awx/main/tests/unit/test_access.py | 13 +------------ 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index b8a80c12d9..3a217fe2af 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1843,6 +1843,11 @@ class SystemJobTemplateAccess(BaseAccess): model = SystemJobTemplate + def filtered_queryset(self): + if self.user.is_superuser or self.user.is_system_auditor: + return self.model.objects.all() + return self.model.objects.none() + @check_superuser def can_start(self, obj, validate_license=True): '''Only a superuser can start a job from a SystemJobTemplate''' diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py index ff5c6c25a2..dfc351a5d9 100644 --- a/awx/main/tests/functional/test_rbac_job.py +++ b/awx/main/tests/functional/test_rbac_job.py @@ -2,7 +2,7 @@ import pytest from rest_framework.exceptions import PermissionDenied -from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess +from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess, SystemJobTemplateAccess from awx.main.models import ( Job, JobLaunchConfig, @@ -350,3 +350,21 @@ class TestLaunchConfigAccess: assert access.can_use(config) assert rando.can_access(JobLaunchConfig, 'use', config) + + +@pytest.mark.django_db +class TestSystemJobTemplateAccess: + def test_system_job_template_auditor(self, system_auditor, system_job_template): + access = SystemJobTemplateAccess(system_auditor) + assert access.can_read(system_job_template) + assert not access.can_start(system_job_template) + + def test_system_job_template_rando(self, rando, system_job_template): + access = SystemJobTemplateAccess(rando) + assert not access.can_read(system_job_template) + assert not access.can_start(system_job_template) + + def test_system_job_template_superuser(self, admin_user, system_job_template): + access = SystemJobTemplateAccess(admin_user) + assert access.can_read(system_job_template) + assert access.can_start(system_job_template) diff --git a/awx/main/tests/unit/test_access.py b/awx/main/tests/unit/test_access.py index 0059cb4984..08e1e66ab5 100644 --- a/awx/main/tests/unit/test_access.py +++ b/awx/main/tests/unit/test_access.py @@ -5,7 +5,7 @@ from django.contrib.auth.models import User from django.forms.models import model_to_dict from rest_framework.exceptions import ParseError -from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, SystemJobTemplateAccess, vars_are_encrypted +from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, vars_are_encrypted from awx.main.models import ( Credential, @@ -239,14 +239,3 @@ def test_user_capabilities_method(): foo = object() foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy']) assert foo_capabilities == {'edit': 'bar', 'copy': 'foo'} - - -def test_system_job_template_can_start(mocker): - user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False) - assert user.is_system_auditor - access = SystemJobTemplateAccess(user) - assert not access.can_start(None) - - user.is_superuser = True - access = SystemJobTemplateAccess(user) - assert access.can_start(None)