External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-01-18 13:11:19 -03:30
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1355 from wwitzel3/rbac

Browse Source 
RBAC PR Fixes
This commit is contained in:
Akita Noek 2016-03-31 10:46:47 -04:00
commit f9cc986d85
3 changed files with 53 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
awx/api/views.py
View File

@ -214,7 +214,7 @@ class ApiV1ConfigView(APIView):
user_ldap_fields.extend(getattr(settings, 'AUTH_LDAP_USER_FLAGS_BY_GROUP', {}).keys())
data['user_ldap_fields'] = user_ldap_fields
if request.user.is_superuser or Organization.accessible_objects(request.user, {'write': True}).count():
if request.user.is_superuser or Organization.accessible_objects(request.user, {'write': True}).exists():
data.update(dict(
project_base_dir = settings.PROJECTS_ROOT,
project_local_paths = Project.get_local_path_choices(),
@ -1087,7 +1087,7 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
if not sub_id:
data = dict(msg='Role "id" field is missing')
return Response(data, status=status.HTTP_400_BAD_REQUEST)
return super(type(self), self).post(request, *args, **kwargs)
return super(UserRolesList, self).post(request, *args, **kwargs)
def check_parent_access(self, parent=None):
# We hide roles that shouldn't be seen in our queryset
@ -3422,7 +3422,7 @@ class RoleTeamsList(ListAPIView):
def get_queryset(self):
# TODO: Check
role = Role.objects.get(pk=self.kwargs['pk'])
return Team.objects.filter(member_role__children__in=[role])
return Team.objects.filter(member_role__children=role)
def post(self, request, pk, *args, **kwargs):
# Forbid implicit role creation here

121
awx/main/access.py
View File

@ -213,19 +213,16 @@ class UserAccess(BaseAccess):
def get_queryset(self):
if self.user.is_superuser:
return User.objects
return User.objects.all()
if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.exists():
return User.objects
return User.objects.all()
viewable_users_set = set()
viewable_users_set.update(self.user.roles.values_list('ancestors__members__id', flat=True))
viewable_users_set.update(self.user.roles.values_list('descendents__members__id', flat=True))
return User.objects.filter(id__in=viewable_users_set)
#qs = User.objects.filter(self.user, {'read':True})
#qs = User.objects.
#return qs
def can_add(self, data):
if data is not None and 'is_superuser' in data:
@ -275,8 +272,7 @@ class OrganizationAccess(BaseAccess):
def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True})
qs = qs.select_related('created_by', 'modified_by')
return qs
return qs.select_related('created_by', 'modified_by').all()
def can_change(self, obj, data):
if self.user.is_superuser:
@ -311,8 +307,7 @@ class InventoryAccess(BaseAccess):
def get_queryset(self, allowed=None, ad_hoc=None):
qs = self.model.accessible_objects(self.user, {'read': True})
qs = qs.select_related('created_by', 'modified_by', 'organization')
return qs
return qs.select_related('created_by', 'modified_by', 'organization').all()
def can_read(self, obj):
return obj.accessible_by(self.user, {'read': True})
@ -369,8 +364,7 @@ class HostAccess(BaseAccess):
qs = qs.select_related('created_by', 'modified_by', 'inventory',
'last_job__job_template',
'last_job_host_summary__job')
qs = qs.prefetch_related('groups')
return qs
return qs.prefetch_related('groups').all()
def can_read(self, obj):
return obj and obj.inventory.accessible_by(self.user, {'read':True})
@ -422,8 +416,7 @@ class GroupAccess(BaseAccess):
def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True})
qs = qs.select_related('created_by', 'modified_by', 'inventory')
qs = qs.prefetch_related('parents', 'children', 'inventory_source')
return qs
return qs.prefetch_related('parents', 'children', 'inventory_source').all()
def can_read(self, obj):
return obj and obj.inventory.accessible_by(self.user, {'read':True})
@ -547,8 +540,7 @@ class CredentialAccess(BaseAccess):
permitted to see.
"""
qs = self.model.accessible_objects(self.user, {'read':True})
qs = qs.select_related('created_by', 'modified_by')
return qs
return qs.select_related('created_by', 'modified_by').all()
def can_add(self, data):
if self.user.is_superuser:
@ -592,8 +584,7 @@ class TeamAccess(BaseAccess):
def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True})
qs = qs.select_related('created_by', 'modified_by', 'organization')
return qs
return qs.select_related('created_by', 'modified_by', 'organization').all()
def can_add(self, data):
if self.user.is_superuser:
@ -635,10 +626,9 @@ class ProjectAccess(BaseAccess):
def get_queryset(self):
if self.user.is_superuser:
return self.model.objects
return self.model.objects.all()
qs = self.model.accessible_objects(self.user, {'read':True})
qs = qs.select_related('modified_by', 'credential', 'current_job', 'last_job')
return qs
return qs.select_related('modified_by', 'credential', 'current_job', 'last_job').all()
def can_add(self, data):
if self.user.is_superuser:
@ -668,7 +658,7 @@ class ProjectUpdateAccess(BaseAccess):
def get_queryset(self):
if self.user.is_superuser:
return self.model.objects
return self.model.objects.all()
qs = ProjectUpdate.objects.distinct()
qs = qs.select_related('created_by', 'modified_by', 'project')
project_ids = set(self.user.get_queryset(Project).values_list('id', flat=True))
@ -697,9 +687,8 @@ class JobTemplateAccess(BaseAccess):
def get_queryset(self):
qs = self.model.accessible_objects(self.user, {'read':True})
qs = qs.select_related('created_by', 'modified_by', 'inventory', 'project',
'credential', 'cloud_credential', 'next_schedule')
return qs
return qs.select_related('created_by', 'modified_by', 'inventory', 'project',
'credential', 'cloud_credential', 'next_schedule').all()
def can_read(self, obj):
# you can only see the job templates that you have permission to launch.
@ -818,7 +807,7 @@ class JobAccess(BaseAccess):
'project', 'credential', 'cloud_credential', 'job_template')
qs = qs.prefetch_related('unified_job_template')
if self.user.is_superuser:
return qs
return qs.all()
credential_ids = self.user.get_queryset(Credential)
return qs.filter(
@ -908,16 +897,13 @@ class AdHocCommandAccess(BaseAccess):
qs = qs.select_related('created_by', 'modified_by', 'inventory',
'credential')
if self.user.is_superuser:
return qs
return qs.all()
credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
inventory_qs = Inventory.accessible_objects(self.user, {'read': True, 'execute': True})
qs = qs.filter(
credential_id__in=credential_ids,
inventory__in=inventory_qs,
)
return qs
return qs.filter(credential_id__in=credential_ids,
inventory__in=inventory_qs)
def can_add(self, data):
if not data or '_method' in data: # So the browseable API will work?
@ -970,12 +956,11 @@ class AdHocCommandEventAccess(BaseAccess):
qs = qs.select_related('ad_hoc_command', 'host')
if self.user.is_superuser:
return qs
return qs.all()
ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
host_qs = self.user.get_queryset(Host)
qs = qs.filter(Q(host__isnull=True) | Q(host__in=host_qs),
ad_hoc_command__in=ad_hoc_command_qs)
return qs
return qs.filter(Q(host__isnull=True) | Q(host__in=host_qs),
ad_hoc_command__in=ad_hoc_command_qs)
def can_add(self, data):
return False
@ -997,7 +982,7 @@ class JobHostSummaryAccess(BaseAccess):
qs = self.model.objects
qs = qs.select_related('job', 'job__job_template', 'host')
if self.user.is_superuser:
return qs
return qs.all()
job_qs = self.user.get_queryset(Job)
host_qs = self.user.get_queryset(Host)
return qs.filter(job__in=job_qs, host__in=host_qs)
@ -1029,12 +1014,11 @@ class JobEventAccess(BaseAccess):
event_data__contains='"module_name": "async_status"')
if self.user.is_superuser:
return qs
return qs.all()
job_qs = self.user.get_queryset(Job)
host_qs = self.user.get_queryset(Host)
qs = qs.filter(Q(host__isnull=True) | Q(host__in=host_qs),
job__in=job_qs)
return qs
return qs.filter(Q(host__isnull=True) | Q(host__in=host_qs), job__in=job_qs)
def can_add(self, data):
return False
@ -1077,7 +1061,7 @@ class UnifiedJobTemplateAccess(BaseAccess):
'cloud_credential',
)
return qs
return qs.all()
class UnifiedJobAccess(BaseAccess):
'''
@ -1119,7 +1103,7 @@ class UnifiedJobAccess(BaseAccess):
'job_template__credential',
'job_template__cloud_credential',
)
return qs
return qs.all()
class ScheduleAccess(BaseAccess):
'''
@ -1133,7 +1117,7 @@ class ScheduleAccess(BaseAccess):
qs = qs.select_related('created_by', 'modified_by')
qs = qs.prefetch_related('unified_job_template')
if self.user.is_superuser:
return qs
return qs.all()
job_template_qs = self.user.get_queryset(JobTemplate)
inventory_source_qs = self.user.get_queryset(InventorySource)
project_qs = self.user.get_queryset(Project)
@ -1186,10 +1170,7 @@ class NotifierAccess(BaseAccess):
model = Notifier
def get_queryset(self):
qs = self.model.objects.distinct()
if self.user.is_superuser:
return qs
return qs
return self.model.objects.distinct().all()
class NotificationAccess(BaseAccess):
'''
@ -1198,10 +1179,7 @@ class NotificationAccess(BaseAccess):
model = Notification
def get_queryset(self):
qs = self.model.objects.distinct()
if self.user.is_superuser:
return qs
return qs
return self.model.objects.distinct().all()
class LabelAccess(BaseAccess):
'''
@ -1210,10 +1188,7 @@ class LabelAccess(BaseAccess):
model = Label
def get_queryset(self):
qs = self.model.objects.distinct()
if self.user.is_superuser:
return qs
return qs
return self.model.objects.distinct().all()
def can_delete(self, obj):
return False
@ -1232,54 +1207,54 @@ class ActivityStreamAccess(BaseAccess):
'inventory_update', 'credential', 'team', 'project', 'project_update',
'permission', 'job_template', 'job')
if self.user.is_superuser:
return qs
return qs.all()
#Inventory filter
inventory_qs = self.user.get_queryset(Inventory)
qs.filter(inventory__in=inventory_qs)
qs = qs.filter(inventory__in=inventory_qs)
#Host filter
qs.filter(host__inventory__in=inventory_qs)
qs = qs.filter(host__inventory__in=inventory_qs)
#Group filter
qs.filter(group__inventory__in=inventory_qs)
qs = qs.filter(group__inventory__in=inventory_qs)
#Inventory Source Filter
qs.filter(Q(inventory_source__inventory__in=inventory_qs) |
Q(inventory_source__group__inventory__in=inventory_qs))
qs = qs.filter(Q(inventory_source__inventory__in=inventory_qs) |
Q(inventory_source__group__inventory__in=inventory_qs))
#Inventory Update Filter
qs.filter(Q(inventory_update__inventory_source__inventory__in=inventory_qs) |
Q(inventory_update__inventory_source__group__inventory__in=inventory_qs))
qs = qs.filter(Q(inventory_update__inventory_source__inventory__in=inventory_qs) |
Q(inventory_update__inventory_source__group__inventory__in=inventory_qs))
#Credential Update Filter
credential_qs = self.user.get_queryset(Credential)
qs.filter(credential__in=credential_qs)
qs = qs.filter(credential__in=credential_qs)
#Team Filter
team_qs = self.user.get_queryset(Team)
qs.filter(team__in=team_qs)
qs = qs.filter(team__in=team_qs)
#Project Filter
project_qs = self.user.get_queryset(Project)
qs.filter(project__in=project_qs)
qs = qs.filter(project__in=project_qs)
#Project Update Filter
qs.filter(project_update__project__in=project_qs)
qs = qs.filter(project_update__project__in=project_qs)
#Job Template Filter
jobtemplate_qs = self.user.get_queryset(JobTemplate)
qs.filter(job_template__in=jobtemplate_qs)
qs = qs.filter(job_template__in=jobtemplate_qs)
#Job Filter
job_qs = self.user.get_queryset(Job)
qs.filter(job__in=job_qs)
qs = qs.filter(job__in=job_qs)
# Ad Hoc Command Filter
ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
qs.filter(ad_hoc_command__in=ad_hoc_command_qs)
qs = qs.filter(ad_hoc_command__in=ad_hoc_command_qs)
return qs
return qs.all()
def can_add(self, data):
return False
@ -1296,8 +1271,8 @@ class CustomInventoryScriptAccess(BaseAccess):
def get_queryset(self):
if self.user.is_superuser:
return self.model.objects.distinct()
return self.model.accessible_by(self.user, {'read':True})
return self.model.objects.distinct().all()
return self.model.accessible_objects(self.user, {'read':True}).all()
def can_read(self, obj):
if self.user.is_superuser:

3
awx/main/fields.py
View File

@ -16,6 +16,7 @@ from django.db.models.fields.related import (
ManyRelatedObjectsDescriptor,
ReverseManyRelatedObjectsDescriptor,
)
from django.utils.encoding import smart_text
# AWX
from awx.main.models.rbac import RolePermission, Role, batch_role_ancestor_rebuilding
@ -66,7 +67,7 @@ def resolve_role_field(obj, field):
if len(field_components) == 1:
if type(obj) is not ImplicitRoleDescriptor and type(obj) is not Role:
raise Exception('%s refers to a %s, not an ImplicitRoleField or Role' % (field, str(type(obj))))
raise Exception(smart_text('{} refers to a {}, not an ImplicitRoleField or Role').format(field, type(obj)))
ret.append(obj)
else:
if type(obj) is ManyRelatedObjectsDescriptor: