Add Credential Admin role

2024-11-01 08:21:15 +03:00 · 2018-01-26 15:43:00 +00:00 · 2018-01-26 15:43:00 +00:00 · 109841c350
commit 109841c350
parent 6c951aa883
4 changed files with 7 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -991,7 +991,7 @@ class CredentialAccess(BaseAccess):
    def can_change(self, obj, data):
        if not obj:
            return False
-        return self.user in obj.admin_role and self.check_related('organization', Organization, data, obj=obj)
+        return self.user in obj.admin_role and self.check_related('organization', Organization, data, obj=obj, role_field='credential_admin_role')

    def can_delete(self, obj):
        # Unassociated credentials may be marked deleted by anyone, though we
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@ -262,7 +262,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
    admin_role = ImplicitRoleField(
        parent_role=[
            'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
-            'organization.admin_role',
+            'organization.credential_admin_role',
        ],
    )
    use_role = ImplicitRoleField(
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@ -49,6 +49,9 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
    inventory_admin_role = ImplicitRoleField(
        parent_role='admin_role',
    )
+    credential_admin_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
    auditor_role = ImplicitRoleField(
        parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
    )
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@ -39,6 +39,7 @@ role_names = {
    'admin_role'           : _('Admin'),
    'project_admin_role'   : _('Project Admin'),
    'inventory_admin_role' : _('Inventory Admin'),
+    'credential_admin_role': _('Credential Admin'),
    'auditor_role'         : _('Auditor'),
    'execute_role'         : _('Execute'),
    'member_role'          : _('Member'),
@ -54,6 +55,7 @@ role_descriptions = {
    'admin_role'           : _('Can manage all aspects of the %s'),
    'project_admin_role'   : _('Can manage all projects of the %s'),
    'inventory_admin_role' : _('Can manage all inventories of the %s'),
+    'credential_admin_role': _('Can manage all credentials of the %s'),
    'auditor_role'         : _('Can view all settings for the %s'),
    'execute_role'         : _('May run the %s'),
    'member_role'          : _('User is a member of the %s'),