Fixed bug where an org admin was not able to add
an orphaned user to the org, in the case where the
orphan had an ancestor role that matched one of the
roles for of the org admin.
scenario to fix -- sue is member of cred1, where cred1 is
part of org1. org1 admin cannot add sue to org1, because
the cred1 role for sue has an ancestor to org1 role. The org1
admin cannot change or attach sue to org1.
tower issue #4198 and #4197
Set JT.organization with value from its project
Remove validation requiring JT.organization
Undo some of the additional org definitions in tests
Revert some tests no longer needed for feature
exclude workflow approvals from unified organization field
revert awxkit changes for providing organization
Roll back additional JT creation permission requirement
Fix up more issues by persisting organization field when project is removed
Restrict project org editing, logging, and testing
Grant removed inventory org admin permissions in migration
Add special validate_unique for job templates
this deals with enforcing name-organization uniqueness
Add back in special message where config is unknown
when receiving 403 on job relaunch
Fix logical and performance bugs with data migration
within JT.inventory.organization make-permission-explicit migration
remove nested loops so we do .iterator() on JT queryset
in reverse migration, carefully remove execute role on JT
held by org admins of inventory organization,
as well as the execute_role holders
Use current state of Role model in logic, with 1 notable exception
that is used to filter on ancestors
the ancestor and descentent relationship in the migration model
is not reliable
output of this is saved as an integer list to avoid future
compatibility errors
make the parents rebuilding logic skip over irrelevant models
this is the largest performance gain for small resource numbers
This is the old version of this feature from 2019
this allows setting the organization in the data sent
to the API when creating a JT, and exposes the field
in the UI as well
Subsequent commit changes the field from editable
to read-only, but as of this commit, the machinery
is not hooked up to infer it from project
a side effect of this bug is that `awx schedules create` doesn't work
properly for non-admin users (i.e., users who have execute access for
a JT)
see: https://github.com/ansible/awx/issues/5717
* RBAC relaunch 403 updates
Addresses 2 things
1. If WFJ relaunch is attempted, and relaunch is denied
because the WFJ had encrypted survey answers,
a generic message was shown, this changes it to show
a specific error message
2. Org admins are banned from relaunching a job
if the job has encrypted survey answers
* update tests to raises access pattern
* catch PermissionDenied for user_capabilities
If more than one Organization were selected by this subquery, then
Postgres would complain with "more than one row returned by a subquery
used as an expression". We needed to allow for that case.
Annoyingly SQLite3 doesn't seem to care, so writing a py.test test to
exercise this isn't feasible under our current development setup.
This addresses the top-level resources in the v2
root view, focusing in order of priority,
reflecting use by the UI.
In several cases get_queryset logic from the view
is moved into the access class.
Most other cases involve adding a straightforward
select_related or prefetch_related entry.
All additional confirmed to be effective with the
django debug toolbar.
When a user doesn't have access to all the credentials of a job
template, they cannot copy the JT. However, currently we raise a
default `PermissionDenied`, which doesn't give the user insight
into what's wrong. So, this PR just adds a custom message indicating
that access to credentials is missing.
Signed-off-by: Vismay Golwala <vgolwala@redhat.com>
so that changing the membership of Organizations and Teams are
disallowed unless you are a superuser, but granting resource
privileges is still permitted.
