Merge pull request #3150 from AlanCoding/3146_org_admin_sys_aud

Limit creation of system auditors to superusers
2024-11-01 08:21:15 +03:00 · 2016-07-27 17:16:39 -04:00 · 2016-07-27 17:16:39 -04:00 · 2895c9fe9c
commit 2895c9fe9c
parent f53a1b8f6c 945635eb70
2 changed files with 19 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -245,16 +245,18 @@ class UserAccess(BaseAccess):


    def can_add(self, data):
-        if data is not None and 'is_superuser' in data:
-            if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
+        if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
+            if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
+                    to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
                return False
        if self.user.is_superuser:
            return True
        return Organization.accessible_objects(self.user, 'admin_role').exists()

    def can_change(self, obj, data):
-        if data is not None and 'is_superuser' in data:
-            if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
+        if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
+            if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
+                    to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
                return False
        # A user can be changed if they are themselves, or by org admins or
        # superusers.  Change permission implies changing only certain fields
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@ -75,3 +75,16 @@ def test_org_user_removed(user, organization):

    organization.member_role.members.remove(member)
    assert admin not in member.admin_role
+
+@pytest.mark.django_db
+def test_org_admin_create_sys_auditor(org_admin):
+    access = UserAccess(org_admin)
+    assert not access.can_add(data=dict(
+        username='new_user', password="pa$$sowrd", email="asdf@redhat.com",
+        is_system_auditor='true'))
+
+@pytest.mark.django_db
+def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
+    organization.member_role.members.add(alice)
+    access = UserAccess(org_admin)
+    assert not access.can_change(obj=alice, data=dict(is_system_auditor='true'))