Adding Instance Group permissions and tests

2026-03-22 03:17:39 -02:30 · 2017-05-11 15:14:18 -04:00
parent 8bc1490368
commit f8fc9cff5c
2 changed files with 140 additions and 0 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -393,11 +393,38 @@ class InstanceAccess(BaseAccess):

    model = Instance

+    def get_queryset(self):
+        return Instance.objects.filter(rampart_groups__in=self.user.get_queryset(InstanceGroup))
+
+    def can_add(self, data):
+        return False
+
+    def can_change(self, obj, data):
+        return False
+
+    def can_delete(self, obj):
+        return False
+

 class InstanceGroupAccess(BaseAccess):

    model = InstanceGroup

+    def get_queryset(self):
+        if self.user.is_superuser or self.user.is_system_auditor:
+            return InstanceGroup.objects.all()
+        else:
+            return InstanceGroup.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role'))
+
+    def can_add(self, data):
+        return False
+
+    def can_change(self, obj, data):
+        return False
+
+    def can_delete(self, obj):
+        return False
+

 class UserAccess(BaseAccess):
    '''
@@ -523,6 +550,18 @@ class OrganizationAccess(BaseAccess):
                                 "active_jobs": active_jobs})
        return True

+    def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if relationship == "instance_groups":
+            if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role:
+                return True
+            return False
+        return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
+
+    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if relationship == "instance_groups":
+            return self.can_attach(obj, sub_obj, relationship, *args, **kwargs)
+        return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
+

 class InventoryAccess(BaseAccess):
    '''
@@ -593,6 +632,18 @@ class InventoryAccess(BaseAccess):
    def can_run_ad_hoc_commands(self, obj):
        return self.user in obj.adhoc_role

+    def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if relationship == "instance_groups":
+            if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.organization.admin_role:
+                return True
+            return False
+        return super(InventoryAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
+
+    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if relationship == "instance_groups":
+            return self.can_attach(obj, sub_obj, relationship, *args, **kwargs)
+        return super(InventoryAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
+

 class HostAccess(BaseAccess):
    '''
@@ -1260,9 +1311,19 @@ class JobTemplateAccess(BaseAccess):
    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
        if isinstance(sub_obj, NotificationTemplate):
            return self.check_related('organization', Organization, {}, obj=sub_obj, mandatory=True)
+        if relationship == "instance_groups":
+            if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.project.organization.admin_role:
+                return True
+            return False
        return super(JobTemplateAccess, self).can_attach(
            obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)

+    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if relationship == "instance_groups":
+            return self.can_attach(obj, sub_obj, relationship, *args, **kwargs)
+        return super(InventoryAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
+
+

 class JobAccess(BaseAccess):
    '''