Moved access control from credential add view to access.py

as it should have always been. This messes up being able to post to api/v1/users/:n/credentials and api/v1/teams/:n/credentials without specifyign the user/team id in the post body, but looking at the old code it looks like this might have always been the case, so whatevs.. This fixes a old v new access.py test "failure", and is better anyways..
2024-11-02 09:51:09 +03:00 · 2016-04-29 17:27:14 -04:00 · 2016-04-29 17:27:14 -04:00 · 29b55fa04d
commit 29b55fa04d
parent 1bf4fdbff1
3 changed files with 25 additions and 10 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1232,15 +1232,15 @@ class CredentialList(ListCreateAPIView):

        if 'user' in request.data:
            user = User.objects.get(pk=request.data['user'])
-            obj = user
+            can_add_params = {'user': user.id}
        if 'team' in request.data:
            team = Team.objects.get(pk=request.data['team'])
-            obj = team
+            can_add_params = {'team': team.id}
        if 'organization' in request.data:
            organization = Organization.objects.get(pk=request.data['organization'])
-            obj = organization
+            can_add_params = {'organization': organization.id}

-        if not self.request.user.can_access(type(obj), 'change', obj, request.data):
+        if not self.request.user.can_access(Credential, 'add', can_add_params):
            raise PermissionDenied()

        ret = super(CredentialList, self).post(request, *args, **kwargs)
@ -1270,8 +1270,7 @@ class UserCredentialsList(CredentialList):
        return user_creds & visible_creds

    def post(self, request, *args, **kwargs):
-        user = User.objects.get(pk=self.kwargs['pk'])
-        request.data['user'] = user.id
+        request.data['user'] = self.kwargs['pk']
        # The following post takes care of ensuring the current user can add a cred to this user
        return super(UserCredentialsList, self).post(request, args, kwargs)

@ -1290,8 +1289,7 @@ class TeamCredentialsList(CredentialList):
        return team_creds & visible_creds

    def post(self, request, *args, **kwargs):
-        team = Team.objects.get(pk=self.kwargs['pk'])
-        request.data['team'] = team.id
+        request.data['team'] = self.kwargs['pk']
        # The following post takes care of ensuring the current user can add a cred to this user
        return super(TeamCredentialsList, self).post(request, args, kwargs)

--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -572,8 +572,22 @@ class CredentialAccess(BaseAccess):
        return self.user in obj.read_role

    def can_add(self, data):
-        # Access enforced in our view where we have context enough to make a decision
-        return True
+        if self.user.is_superuser:
+            return True
+        user_pk = get_pk_from_dict(data, 'user')
+        if user_pk:
+            user_obj = get_object_or_400(User, pk=user_pk)
+            return check_user_access(self.user, User, 'change', user_obj, None)
+        team_pk = get_pk_from_dict(data, 'team')
+        if team_pk:
+            team_obj = get_object_or_400(Team, pk=team_pk)
+            return check_user_access(self.user, Team, 'change', team_obj, None)
+        organization_pk = get_pk_from_dict(data, 'organization')
+        if organization_pk:
+            organization_obj = get_object_or_400(Organization, pk=organization_pk)
+            return check_user_access(self.user, Organization, 'change', organization_obj, None)
+        return False
+

    @check_superuser
    def can_use(self, obj):
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@ -24,6 +24,7 @@ def test_create_user_credential_via_credentials_list(post, get, alice):
@pytest.mark.django_db
 def test_create_user_credential_via_user_credentials_list(post, get, alice):
    response = post(reverse('api:user_credentials_list', args=(alice.pk,)), {
+        'user': alice.pk,
        'name': 'Some name',
        'username': 'someusername',
    }, alice)
@ -45,6 +46,7 @@ def test_create_user_credential_via_credentials_list_xfail(post, alice, bob):
@pytest.mark.django_db
 def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob):
    response = post(reverse('api:user_credentials_list', args=(bob.pk,)), {
+        'user': bob.pk,
        'name': 'Some name',
        'username': 'someusername'
    }, alice)
@ -71,6 +73,7 @@ def test_create_team_credential(post, get, team, org_admin, team_member):
@pytest.mark.django_db
 def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member):
    response = post(reverse('api:team_credentials_list', args=(team.pk,)), {
+        'team': team.pk,
        'name': 'Some name',
        'username': 'someusername',
    }, org_admin)