shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-02 18:21:12 +03:00
Code Releases Activity

Moved access control from credential add view to access.py

Browse Source 
as it should have always been. This messes up being able to post to
api/v1/users/:n/credentials and api/v1/teams/:n/credentials without
specifyign the user/team id in the post body, but looking at the old
code it looks like this might have always been the case, so whatevs..

This fixes a old v new access.py test "failure", and is better anyways..
This commit is contained in:
Akita Noek 2016-04-29 17:27:14 -04:00
parent 1bf4fdbff1
commit 29b55fa04d
3 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
awx/api/views.py
View File

@ -1232,15 +1232,15 @@ class CredentialList(ListCreateAPIView):
if 'user' in request.data: if 'user' in request.data:
user = User.objects.get(pk=request.data['user']) user = User.objects.get(pk=request.data['user'])
obj = user can_add_params = {'user': user.id}
if 'team' in request.data: if 'team' in request.data:
team = Team.objects.get(pk=request.data['team']) team = Team.objects.get(pk=request.data['team'])
obj = team can_add_params = {'team': team.id}
if 'organization' in request.data: if 'organization' in request.data:
organization = Organization.objects.get(pk=request.data['organization']) organization = Organization.objects.get(pk=request.data['organization'])
obj = organization can_add_params = {'organization': organization.id}
if not self.request.user.can_access(type(obj), 'change', obj, request.data): if not self.request.user.can_access(Credential, 'add', can_add_params):
raise PermissionDenied() raise PermissionDenied()
ret = super(CredentialList, self).post(request, *args, **kwargs) ret = super(CredentialList, self).post(request, *args, **kwargs)
@ -1270,8 +1270,7 @@ class UserCredentialsList(CredentialList):
return user_creds & visible_creds return user_creds & visible_creds
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
user = User.objects.get(pk=self.kwargs['pk']) request.data['user'] = self.kwargs['pk']
request.data['user'] = user.id
# The following post takes care of ensuring the current user can add a cred to this user # The following post takes care of ensuring the current user can add a cred to this user
return super(UserCredentialsList, self).post(request, args, kwargs) return super(UserCredentialsList, self).post(request, args, kwargs)
@ -1290,8 +1289,7 @@ class TeamCredentialsList(CredentialList):
return team_creds & visible_creds return team_creds & visible_creds
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
team = Team.objects.get(pk=self.kwargs['pk']) request.data['team'] = self.kwargs['pk']
request.data['team'] = team.id
# The following post takes care of ensuring the current user can add a cred to this user # The following post takes care of ensuring the current user can add a cred to this user
return super(TeamCredentialsList, self).post(request, args, kwargs) return super(TeamCredentialsList, self).post(request, args, kwargs)

16
awx/main/access.py
View File

@ -572,8 +572,22 @@ class CredentialAccess(BaseAccess):
return self.user in obj.read_role return self.user in obj.read_role
def can_add(self, data): def can_add(self, data):
# Access enforced in our view where we have context enough to make a decision if self.user.is_superuser:
return True return True
user_pk = get_pk_from_dict(data, 'user')
if user_pk:
user_obj = get_object_or_400(User, pk=user_pk)
return check_user_access(self.user, User, 'change', user_obj, None)
team_pk = get_pk_from_dict(data, 'team')
if team_pk:
team_obj = get_object_or_400(Team, pk=team_pk)
return check_user_access(self.user, Team, 'change', team_obj, None)
organization_pk = get_pk_from_dict(data, 'organization')
if organization_pk:
organization_obj = get_object_or_400(Organization, pk=organization_pk)
return check_user_access(self.user, Organization, 'change', organization_obj, None)
return False
@check_superuser @check_superuser
def can_use(self, obj): def can_use(self, obj):

3
awx/main/tests/functional/api/test_credential.py
View File

@ -24,6 +24,7 @@ def test_create_user_credential_via_credentials_list(post, get, alice):
@pytest.mark.django_db @pytest.mark.django_db
def test_create_user_credential_via_user_credentials_list(post, get, alice): def test_create_user_credential_via_user_credentials_list(post, get, alice):
response = post(reverse('api:user_credentials_list', args=(alice.pk,)), { response = post(reverse('api:user_credentials_list', args=(alice.pk,)), {
'user': alice.pk,
'name': 'Some name', 'name': 'Some name',
'username': 'someusername', 'username': 'someusername',
}, alice) }, alice)
@ -45,6 +46,7 @@ def test_create_user_credential_via_credentials_list_xfail(post, alice, bob):
@pytest.mark.django_db @pytest.mark.django_db
def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob): def test_create_user_credential_via_user_credentials_list_xfail(post, alice, bob):
response = post(reverse('api:user_credentials_list', args=(bob.pk,)), { response = post(reverse('api:user_credentials_list', args=(bob.pk,)), {
'user': bob.pk,
'name': 'Some name', 'name': 'Some name',
'username': 'someusername' 'username': 'someusername'
}, alice) }, alice)
@ -71,6 +73,7 @@ def test_create_team_credential(post, get, team, org_admin, team_member):
@pytest.mark.django_db @pytest.mark.django_db
def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member): def test_create_team_credential_via_team_credentials_list(post, get, team, org_admin, team_member):
response = post(reverse('api:team_credentials_list', args=(team.pk,)), { response = post(reverse('api:team_credentials_list', args=(team.pk,)), {
'team': team.pk,
'name': 'Some name', 'name': 'Some name',
'username': 'someusername', 'username': 'someusername',
}, org_admin) }, org_admin)