shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-02 01:21:21 +03:00
Code Releases Activity

Protect isolated and control groups from api deletion

Browse Source 
Isolated and Control groups are managed strictly from the standalone
setup playbook installer and should not be directly managable from the
api. Especially true since you can't assign or create isolated groups
from within the API itself.

In the future this may change but allowing this in the API could leave
the system in a bad state.
This commit is contained in:
Matthew Jones 2018-04-20 15:30:13 -04:00
parent a2901a47ee
commit 062329f56e
No known key found for this signature in database
GPG Key ID: 76A4C17A97590C1C
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
awx/api/views.py
View File

@ -671,6 +671,14 @@ class InstanceGroupDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAP
serializer_class = InstanceGroupSerializer serializer_class = InstanceGroupSerializer
permission_classes = (InstanceGroupTowerPermission,) permission_classes = (InstanceGroupTowerPermission,)
def destroy(self, request, *args, **kwargs):
instance = self.get_object()
if instance.controller is not None:
raise PermissionDenied(detail=_("Isolated Groups can not be removed from the API"))
if instance.controlled_groups.count():
raise PermissionDenied(detail=_("Instance Groups acting as a controller for an Isolated Group can not be removed from the API"))
return super(InstanceGroupDetail, self).destroy(request, *args, **kwargs)
class InstanceGroupUnifiedJobsList(SubListAPIView): class InstanceGroupUnifiedJobsList(SubListAPIView):

15
awx/main/tests/functional/api/test_instance_group.py
View File

@ -21,6 +21,13 @@ def instance_group(job_factory):
return ig return ig
@pytest.fixture
def isolated_instance_group(instance_group):
ig = InstanceGroup(name="iso", controller=instance_group)
ig.save()
return ig
@pytest.fixture @pytest.fixture
def create_job_factory(job_factory, instance_group): def create_job_factory(job_factory, instance_group):
def fn(status='running'): def fn(status='running'):
@ -91,3 +98,11 @@ def test_modify_delete_tower_instance_group_prevented(delete, options, tower_ins
assert 'DELETE' not in resp.data['actions'] assert 'DELETE' not in resp.data['actions']
assert 'GET' in resp.data['actions'] assert 'GET' in resp.data['actions']
assert 'PUT' in resp.data['actions'] assert 'PUT' in resp.data['actions']
@pytest.mark.django_db
def test_prevent_delete_iso_and_control_groups(delete, isolated_instance_group, admin):
iso_url = reverse("api:instance_group_detail", kwargs={'pk': isolated_instance_group.pk})
controller_url = reverse("api:instance_group_detail", kwargs={'pk': isolated_instance_group.controller.pk})
delete(iso_url, None, admin, expect=403)
delete(controller_url, None, admin, expect=403)