1
0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 08:21:15 +03:00

Merge pull request #3150 from AlanCoding/3146_org_admin_sys_aud

Limit creation of system auditors to superusers
This commit is contained in:
Alan Rominger 2016-07-27 17:16:39 -04:00 committed by GitHub
commit 2895c9fe9c
2 changed files with 19 additions and 4 deletions

View File

@ -245,16 +245,18 @@ class UserAccess(BaseAccess):
def can_add(self, data): def can_add(self, data):
if data is not None and 'is_superuser' in data: if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser: if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
return False return False
if self.user.is_superuser: if self.user.is_superuser:
return True return True
return Organization.accessible_objects(self.user, 'admin_role').exists() return Organization.accessible_objects(self.user, 'admin_role').exists()
def can_change(self, obj, data): def can_change(self, obj, data):
if data is not None and 'is_superuser' in data: if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser: if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
return False return False
# A user can be changed if they are themselves, or by org admins or # A user can be changed if they are themselves, or by org admins or
# superusers. Change permission implies changing only certain fields # superusers. Change permission implies changing only certain fields

View File

@ -75,3 +75,16 @@ def test_org_user_removed(user, organization):
organization.member_role.members.remove(member) organization.member_role.members.remove(member)
assert admin not in member.admin_role assert admin not in member.admin_role
@pytest.mark.django_db
def test_org_admin_create_sys_auditor(org_admin):
access = UserAccess(org_admin)
assert not access.can_add(data=dict(
username='new_user', password="pa$$sowrd", email="asdf@redhat.com",
is_system_auditor='true'))
@pytest.mark.django_db
def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
organization.member_role.members.add(alice)
access = UserAccess(org_admin)
assert not access.can_change(obj=alice, data=dict(is_system_auditor='true'))