Merge pull request #3098 from AlanCoding/3033_AS_updates

Reorganize activity stream access around org admin/auditors (3.0.2)
2026-01-13 19:10:07 -03:30 · 2016-07-25 11:04:05 -04:00 · 2016-07-25 11:04:05 -04:00 · f5fa53d89a
commit f5fa53d89a
parent 03a24da2e1 6fee46fb66
1 changed files with 11 additions and 10 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1562,21 +1562,22 @@ class ActivityStreamAccess(BaseAccess):

        inventory_set = Inventory.accessible_objects(self.user, 'read_role')
        credential_set = Credential.accessible_objects(self.user, 'read_role')
-        organization_set = Organization.accessible_objects(self.user, 'read_role')
-        admin_of_orgs = Organization.accessible_objects(self.user, 'admin_role')
-        group_set = Group.objects.filter(inventory__in=inventory_set)
+        auditing_orgs = (
+            Organization.accessible_objects(self.user, 'admin_role') |
+            Organization.accessible_objects(self.user, 'auditor_role')
+        ).distinct().values_list('id', flat=True)
        project_set = Project.accessible_objects(self.user, 'read_role')
        jt_set = JobTemplate.accessible_objects(self.user, 'read_role')
        team_set = Team.accessible_objects(self.user, 'read_role')

        return qs.filter(
            Q(ad_hoc_command__inventory__in=inventory_set) |
-            Q(user__in=organization_set.values('member_role__members')) |
+            Q(user__in=auditing_orgs.values('member_role__members')) |
            Q(user=self.user) |
-            Q(organization__in=organization_set) |
+            Q(organization__in=auditing_orgs) |
            Q(inventory__in=inventory_set) |
            Q(host__inventory__in=inventory_set) |
-            Q(group__in=group_set) |
+            Q(group__inventory__in=inventory_set) |
            Q(inventory_source__inventory__in=inventory_set) |
            Q(inventory_update__inventory_source__inventory__in=inventory_set) |
            Q(credential__in=credential_set) |
@ -1585,10 +1586,10 @@ class ActivityStreamAccess(BaseAccess):
            Q(project_update__project__in=project_set) |
            Q(job_template__in=jt_set) |
            Q(job__job_template__in=jt_set) |
-            Q(notification_template__organization__in=admin_of_orgs) |
-            Q(notification__notification_template__organization__in=admin_of_orgs) |
-            Q(label__organization__in=organization_set) |
-            Q(role__in=Role.visible_roles(self.user))
+            Q(notification_template__organization__in=auditing_orgs) |
+            Q(notification__notification_template__organization__in=auditing_orgs) |
+            Q(label__organization__in=auditing_orgs) |
+            Q(role__in=Role.visible_roles(self.user) if auditing_orgs else [])
        ).distinct()

    def can_add(self, data):