allow org auditors to view notification templates

2026-01-11 18:09:57 -03:30 · 2016-07-12 09:11:44 -04:00 · 2016-07-12 09:11:44 -04:00 · f68495cf58
commit f68495cf58
parent f9707c0ca1
2 changed files with 11 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1371,13 +1371,17 @@ class NotificationTemplateAccess(BaseAccess):
        qs = self.model.objects.all()
        if self.user.is_superuser or self.user.is_system_auditor:
            return qs
-        return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role').all())
+        return self.model.objects.filter(
+            Q(organization__in=self.user.admin_of_organizations) |
+            Q(organization__in=self.user.auditor_of_organizations)
+        ).distinct()

    def can_read(self, obj):
        if self.user.is_superuser or self.user.is_system_auditor:
            return True
        if obj.organization is not None:
-            return self.user in obj.organization.admin_role
+            if self.user in obj.organization.admin_role or self.user in obj.organization.auditor_role:
+                return True
        return False

    @check_superuser
--- a/awx/main/tests/functional/test_rbac_notifications.py
+++ b/awx/main/tests/functional/test_rbac_notifications.py
@ -24,6 +24,11 @@ def test_notification_template_get_queryset_orgadmin(notification_template, user
    notification_template.organization.admin_role.members.add(user('admin', False))
    assert access.get_queryset().count() == 1

+@pytest.mark.django_db
+def test_notification_template_get_queryset_org_auditor(notification_template, org_auditor):
+    access = NotificationTemplateAccess(org_auditor)
+    assert access.get_queryset().count() == 1
+
@pytest.mark.django_db
 def test_notification_template_access_superuser(notification_template_factory):
    nf_objects = notification_template_factory('test-orphaned', organization='test', superusers=['admin'])