shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-02 09:51:09 +03:00
Code Releases Activity

Merge pull request #1913 from wwitzel3/issue-1884

Browse Source 
Consolidate roles and re-structure auditor children.
This commit is contained in:
Wayne Witzel III 2016-05-13 13:11:14 -04:00
commit 1e16482809
16 changed files with 90 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
awx/api/views.py
View File

@ -818,7 +818,7 @@ class TeamList(ListCreateAPIView):
def get_queryset(self):
qs = Team.accessible_objects(self.request.user, 'read_role').order_by()
qs = qs.select_related('admin_role', 'auditor_role', 'member_role', 'organization')
qs = qs.select_related('admin_role', 'read_role', 'member_role', 'organization')
return qs
class TeamDetail(RetrieveUpdateDestroyAPIView):
@ -865,7 +865,7 @@ class TeamProjectsList(SubListAPIView):
def get_queryset(self):
team = self.get_parent_object()
self.check_parent_access(team)
team_qs = Project.objects.filter(Q(member_role__parents=team.member_role) | Q(admin_role__parents=team.member_role)).distinct()
team_qs = Project.objects.filter(Q(use_role__parents=team.member_role) | Q(admin_role__parents=team.member_role)).distinct()
user_qs = Project.accessible_objects(self.request.user, 'read_role').distinct()
return team_qs & user_qs
@ -913,9 +913,8 @@ class ProjectList(ListCreateAPIView):
projects_qs = projects_qs.select_related(
'organization',
'admin_role',
'auditor_role',
'member_role',
'scm_update_role',
'use_role',
'update_role',
)
return projects_qs
@ -1422,7 +1421,7 @@ class InventoryList(ListCreateAPIView):
def get_queryset(self):
qs = Inventory.accessible_objects(self.request.user, 'read_role')
qs = qs.select_related('admin_role', 'auditor_role', 'update_role', 'execute_role')
qs = qs.select_related('admin_role', 'read_role', 'update_role', 'execute_role')
return qs
class InventoryDetail(RetrieveUpdateDestroyAPIView):

4
awx/main/access.py
View File

@ -1384,6 +1384,10 @@ class CustomInventoryScriptAccess(BaseAccess):
return self.model.objects.distinct().all()
return self.model.accessible_objects(self.user, 'read_role').all()
@check_superuser
def can_admin(self, obj):
return self.user in obj.admin_role
@check_superuser
def can_read(self, obj):
return self.user in obj.read_role

64
awx/main/migrations/0008_v300_rbac_changes.py
View File

@ -137,11 +137,6 @@ class Migration(migrations.Migration):
name='roleancestorentry',
index_together=set([('ancestor', 'content_type_id', 'object_id'), ('ancestor', 'content_type_id', 'role_field'), ('ancestor', 'descendent')]),
),
migrations.AddField(
model_name='credential',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='credential',
name='owner_role',
@ -155,27 +150,17 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='credential',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'use_role', b'auditor_role', b'owner_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'singleton:system_auditor', b'use_role', b'owner_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='custominventoryscript',
name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='custominventoryscript',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='custominventoryscript',
name='member_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.member_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='custominventoryscript',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'member_role', b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'organization.member_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='group',
@ -187,11 +172,6 @@ class Migration(migrations.Migration):
name='adhoc_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.adhoc_role', b'parents.adhoc_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='group',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.auditor_role', b'parents.auditor_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='group',
name='execute_role',
@ -205,7 +185,7 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='group',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'update_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'inventory.read_role', b'parents.read_role', b'execute_role', b'update_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
@ -215,12 +195,7 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='inventory',
name='adhoc_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
@ -230,28 +205,23 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='inventory',
name='update_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='use_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='inventory',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'execute_role', b'update_role', b'use_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='jobtemplate',
name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='jobtemplate',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.auditor_role', b'inventory.auditor_role')], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='jobtemplate',
name='execute_role',
@ -260,7 +230,7 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='jobtemplate',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'execute_role', b'auditor_role', b'admin_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.organization.auditor_role', b'inventory.organization.auditor_role'), b'execute_role', b'admin_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='organization',
@ -289,34 +259,24 @@ class Migration(migrations.Migration):
),
migrations.AddField(
model_name='project',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='project',
name='member_role',
name='use_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='project',
name='scm_update_role',
name='update_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='project',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'member_role', b'auditor_role', b'scm_update_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'singleton:system_auditor', b'use_role', b'update_role'], to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='team',
name='admin_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.admin_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='team',
name='auditor_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'organization.auditor_role', to='main.Role', null=b'True'),
),
migrations.AddField(
model_name='team',
name='member_role',
@ -325,6 +285,6 @@ class Migration(migrations.Migration):
migrations.AddField(
model_name='team',
name='read_role',
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'auditor_role', b'member_role'], to='main.Role', null=b'True'),
field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'admin_role', b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'),
),
]

10
awx/main/migrations/_rbac.py
View File

@ -219,7 +219,7 @@ def migrate_inventory(apps, schema_editor):
if perm.permission_type == 'admin':
return inventory.admin_role
elif perm.permission_type == 'read':
return inventory.auditor_role
return inventory.read_role
elif perm.permission_type == 'write':
return inventory.update_role
elif perm.permission_type == 'check' or perm.permission_type == 'run' or perm.permission_type == 'create':
@ -320,22 +320,22 @@ def migrate_projects(apps, schema_editor):
logger.warn(smart_text(u'adding Project({}) admin: {}'.format(project.name, project.created_by.username)))
for team in project.deprecated_teams.all():
team.member_role.children.add(project.member_role)
team.member_role.children.add(project.use_role)
logger.info(smart_text(u'adding Team({}) access for Project({})'.format(team.name, project.name)))
if project.organization is not None:
for user in project.organization.deprecated_users.all():
project.member_role.members.add(user)
project.use_role.members.add(user)
logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name)))
for perm in Permission.objects.filter(project=project):
# All perms at this level just imply a user or team can read
if perm.team:
perm.team.member_role.children.add(project.member_role)
perm.team.member_role.children.add(project.use_role)
logger.info(smart_text(u'adding Team({}) access for Project({})'.format(perm.team.name, project.name)))
if perm.user:
project.member_role.members.add(perm.user)
project.use_role.members.add(perm.user)
logger.info(smart_text(u'adding User({}) access for Project({})'.format(perm.user.username, project.name)))

15
awx/main/models/credential.py
View File

@ -208,19 +208,14 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
],
)
auditor_role = ImplicitRoleField(
parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
],
)
use_role = ImplicitRoleField(
parent_role=['owner_role']
)
read_role = ImplicitRoleField(
parent_role=[
'use_role', 'auditor_role', 'owner_role'
],
)
read_role = ImplicitRoleField(parent_role=[
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
'use_role',
'owner_role'
])
@property
def needs_ssh_password(self):

40
awx/main/models/inventory.py
View File

@ -99,24 +99,25 @@ class Inventory(CommonModel, ResourceMixin):
admin_role = ImplicitRoleField(
parent_role='organization.admin_role',
)
auditor_role = ImplicitRoleField(
parent_role='organization.auditor_role',
)
update_role = ImplicitRoleField(
parent_role=['admin_role'],
parent_role='admin_role',
)
use_role = ImplicitRoleField(
parent_role=['admin_role'],
parent_role='admin_role',
)
adhoc_role = ImplicitRoleField(
parent_role=['admin_role'],
parent_role='admin_role',
)
execute_role = ImplicitRoleField(
parent_role='adhoc_role',
)
read_role = ImplicitRoleField(
parent_role=['auditor_role', 'execute_role', 'update_role', 'use_role', 'admin_role'],
)
read_role = ImplicitRoleField(parent_role=[
'organization.auditor_role',
'execute_role',
'update_role',
'use_role',
'admin_role',
])
def get_absolute_url(self):
return reverse('api:inventory_detail', args=(self.pk,))
@ -519,9 +520,6 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
admin_role = ImplicitRoleField(
parent_role=['inventory.admin_role', 'parents.admin_role'],
)
auditor_role = ImplicitRoleField(
parent_role=['inventory.auditor_role', 'parents.auditor_role'],
)
update_role = ImplicitRoleField(
parent_role=['inventory.update_role', 'parents.update_role', 'admin_role'],
)
@ -531,9 +529,13 @@ class Group(CommonModelNameNotUnique, ResourceMixin):
execute_role = ImplicitRoleField(
parent_role=['inventory.execute_role', 'parents.execute_role', 'adhoc_role'],
)
read_role = ImplicitRoleField(
parent_role=['execute_role', 'update_role', 'auditor_role', 'admin_role'],
)
read_role = ImplicitRoleField(parent_role=[
'inventory.read_role',
'parents.read_role',
'execute_role',
'update_role',
'admin_role'
])
def __unicode__(self):
return self.name
@ -1307,14 +1309,8 @@ class CustomInventoryScript(CommonModelNameNotUnique, ResourceMixin):
admin_role = ImplicitRoleField(
parent_role='organization.admin_role',
)
member_role = ImplicitRoleField(
parent_role='organization.member_role',
)
auditor_role = ImplicitRoleField(
parent_role='organization.auditor_role',
)
read_role = ImplicitRoleField(
parent_role=['auditor_role', 'member_role', 'admin_role'],
parent_role=['organization.auditor_role', 'organization.member_role', 'admin_role'],
)
def get_absolute_url(self):

5
awx/main/models/jobs.py
View File

@ -223,14 +223,11 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
admin_role = ImplicitRoleField(
parent_role=[('project.admin_role', 'inventory.admin_role')]
)
auditor_role = ImplicitRoleField(
parent_role=[('project.auditor_role', 'inventory.auditor_role')]
)
execute_role = ImplicitRoleField(
parent_role=['admin_role'],
)
read_role = ImplicitRoleField(
parent_role=['execute_role', 'auditor_role', 'admin_role'],
parent_role=[('project.organization.auditor_role', 'inventory.organization.auditor_role'), 'execute_role', 'admin_role'],
)
@classmethod

5
awx/main/models/organization.py
View File

@ -104,12 +104,9 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
admin_role = ImplicitRoleField(
parent_role='organization.admin_role',
)
auditor_role = ImplicitRoleField(
parent_role='organization.auditor_role',
)
member_role = ImplicitRoleField()
read_role = ImplicitRoleField(
parent_role=['admin_role', 'auditor_role', 'member_role'],
parent_role=['admin_role', 'organization.auditor_role', 'member_role'],
)
def get_absolute_url(self):

33
awx/main/models/projects.py
View File

@ -220,27 +220,26 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
default=0,
blank=True,
)
admin_role = ImplicitRoleField(
parent_role=[
'organization.admin_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
],
)
auditor_role = ImplicitRoleField(
parent_role=[
'organization.auditor_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
],
)
member_role = ImplicitRoleField(
admin_role = ImplicitRoleField(parent_role=[
'organization.admin_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
])
use_role = ImplicitRoleField(
parent_role='admin_role',
)
scm_update_role = ImplicitRoleField(
update_role = ImplicitRoleField(
parent_role='admin_role',
)
read_role = ImplicitRoleField(
parent_role=['member_role', 'auditor_role', 'scm_update_role'],
)
read_role = ImplicitRoleField(parent_role=[
'organization.auditor_role',
'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
'use_role',
'update_role',
])
@classmethod
def _get_unified_job_class(cls):

4
awx/main/models/rbac.py
View File

@ -42,7 +42,6 @@ role_names = {
'member_role' : 'Member',
'owner_role' : 'Owner',
'read_role' : 'Read',
'scm_update_role' : 'SCM Update',
'update_role' : 'Update',
'use_role' : 'Use',
}
@ -57,8 +56,7 @@ role_descriptions = {
'member_role' : 'User is a member of the %s',
'owner_role' : 'Owns and can manage all aspects of this %s',
'read_role' : 'May view settings for the %s',
'scm_update_role' : 'May update the project from the configured source control management system',
'update_role' : 'May update the inventory or group using the cloud source update system',
'update_role' : 'May update project or inventory or group using the configured source update system',
'use_role' : 'Can use the %s in a job template',
}

4
awx/main/tests/functional/test_projects.py
View File

@ -74,9 +74,9 @@ def test_team_project_list(get, project_factory, team_factory, admin, alice, bob
assert get(reverse('api:team_projects_list', args=(team1.pk,)), alice).data['count'] == 2
# but if she does, then she should only see the shared project
team2.auditor_role.members.add(alice)
team2.read_role.members.add(alice)
assert get(reverse('api:team_projects_list', args=(team2.pk,)), alice).data['count'] == 1
team2.auditor_role.members.remove(alice)
team2.read_role.members.remove(alice)
# Test user endpoints first, very similar tests to test_user_project_list
# but permissions are being derived from team membership instead.

22
awx/main/tests/functional/test_rbac_inventory.py
View File

@ -42,12 +42,12 @@ def test_inventory_auditor_user(inventory, permissions, user):
perm.save()
assert u not in inventory.admin_role
assert u not in inventory.auditor_role
assert u not in inventory.read_role
rbac.migrate_inventory(apps, None)
assert u not in inventory.admin_role
assert u in inventory.auditor_role
assert u in inventory.read_role
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
@ -58,7 +58,7 @@ def test_inventory_updater_user(inventory, permissions, user):
perm.save()
assert u not in inventory.admin_role
assert u not in inventory.auditor_role
assert u not in inventory.read_role
rbac.migrate_inventory(apps, None)
@ -73,7 +73,7 @@ def test_inventory_executor_user(inventory, permissions, user):
perm.save()
assert u not in inventory.admin_role
assert u not in inventory.auditor_role
assert u not in inventory.read_role
rbac.migrate_inventory(apps, None)
@ -98,7 +98,7 @@ def test_inventory_admin_team(inventory, permissions, user, team):
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role
@ -113,14 +113,14 @@ def test_inventory_auditor(inventory, permissions, user, team):
team.deprecated_users.add(u)
assert u not in inventory.admin_role
assert u not in inventory.auditor_role
assert u not in inventory.read_role
rbac.migrate_team(apps,None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert u in inventory.read_role
@ -134,14 +134,14 @@ def test_inventory_updater(inventory, permissions, user, team):
team.deprecated_users.add(u)
assert u not in inventory.admin_role
assert u not in inventory.auditor_role
assert u not in inventory.read_role
rbac.migrate_team(apps,None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role)
@ -156,14 +156,14 @@ def test_inventory_executor(inventory, permissions, user, team):
team.deprecated_users.add(u)
assert u not in inventory.admin_role
assert u not in inventory.auditor_role
assert u not in inventory.read_role
rbac.migrate_team(apps, None)
rbac.migrate_inventory(apps, None)
assert team.member_role.members.count() == 1
assert inventory.admin_role.members.filter(id=u.id).exists() is False
assert inventory.auditor_role.members.filter(id=u.id).exists() is False
assert inventory.read_role.members.filter(id=u.id).exists() is False
assert inventory.execute_role.members.filter(id=u.id).exists() is False
assert inventory.update_role.members.filter(id=u.id).exists() is False
assert team.member_role.is_ancestor_of(inventory.update_role) is False

4
awx/main/tests/functional/test_rbac_team.py
View File

@ -72,7 +72,7 @@ def test_team_access_member(organization, team, user):
def test_team_accessible_by(team, user, project):
u = user('team_member', False)
team.member_role.children.add(project.member_role)
team.member_role.children.add(project.use_role)
assert team in project.read_role
assert u not in project.read_role
@ -83,7 +83,7 @@ def test_team_accessible_by(team, user, project):
def test_team_accessible_objects(team, user, project):
u = user('team_member', False)
team.member_role.children.add(project.member_role)
team.member_role.children.add(project.use_role)
assert len(Project.accessible_objects(team, 'read_role')) == 1
assert not Project.accessible_objects(u, 'read_role')

2
awx/main/tests/old/ad_hoc.py
View File

@ -491,7 +491,7 @@ class AdHocCommandApiTest(BaseAdHocCommandTest):
# Explicitly give nobody user read permission on the inventory.
nobody_roles_list_url = reverse('api:user_roles_list', args=(self.nobody_django_user.pk,))
with self.current_user('admin'):
response = self.post(nobody_roles_list_url, {"id": self.inventory.auditor_role.id}, expect=204)
response = self.post(nobody_roles_list_url, {"id": self.inventory.read_role.id}, expect=204)
with self.current_user('nobody'):
self.run_test_ad_hoc_command(credential=other_cred.pk, expect=403)
self.check_get_list(url, 'other', qs)

10
awx/main/tests/old/inventory.py
View File

@ -59,7 +59,7 @@ class InventoryTest(BaseTest):
# create a permission here on the 'other' user so they have edit access on the org
# we may add another permission type later.
self.inventory_b.auditor_role.members.add(self.other_django_user)
self.inventory_b.read_role.members.add(self.other_django_user)
def tearDown(self):
super(InventoryTest, self).tearDown()
@ -267,14 +267,14 @@ class InventoryTest(BaseTest):
temp_inv = temp_org.inventories.create(name='Delete Org Inventory')
temp_inv.groups.create(name='Delete Org Inventory Group')
temp_inv.auditor_role.members.add(self.other_django_user)
temp_inv.read_role.members.add(self.other_django_user)
reverse('api:organization_detail', args=(temp_org.pk,))
inventory_detail = reverse('api:inventory_detail', args=(temp_inv.pk,))
auditor_role_users_list = reverse('api:role_users_list', args=(temp_inv.auditor_role.pk,))
read_role_users_list = reverse('api:role_users_list', args=(temp_inv.read_role.pk,))
self.get(inventory_detail, expect=200, auth=self.get_other_credentials())
self.post(auditor_role_users_list, data={'disassociate': True, "id": self.other_django_user.id}, expect=204, auth=self.get_super_credentials())
self.post(read_role_users_list, data={'disassociate': True, "id": self.other_django_user.id}, expect=204, auth=self.get_super_credentials())
self.get(inventory_detail, expect=403, auth=self.get_other_credentials())
def test_create_inventory_script(self):
@ -1474,7 +1474,7 @@ class InventoryUpdatesTest(BaseTransactionTest):
# to see the inventory source and update view, but not start an update.
user_roles_list_url = reverse('api:user_roles_list', args=(self.other_django_user.pk,))
with self.current_user(self.super_django_user):
self.post(user_roles_list_url, {"id": self.inventory.auditor_role.id}, expect=204)
self.post(user_roles_list_url, {"id": self.inventory.read_role.id}, expect=204)
with self.current_user(self.other_django_user):
self.get(inv_src_url, expect=200)
response = self.get(inv_src_update_url, expect=200)

2
awx/main/tests/old/schedules.py
View File

@ -71,7 +71,7 @@ class ScheduleTest(BaseTest):
self.first_inventory_source.source = 'ec2'
self.first_inventory_source.save()
self.first_inventory.auditor_role.members.add(self.other_django_user)
self.first_inventory.read_role.members.add(self.other_django_user)
self.second_inventory = Inventory.objects.create(name='test_inventory_2', description='for org 0', organization=self.organizations[0])
self.second_inventory.hosts.create(name='host_2')