1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 15:21:13 +03:00

Optimize inventory read check for Job Templates

Our old check used an extremely inefficient boolean logic AND and
generated a bad query.   This does a simpler check by querying the
inventories that the user has access to and using that as a simple
condition when performing the job template permission query
This commit is contained in:
Matthew Jones 2015-07-31 00:04:47 -04:00
parent 26f942a593
commit 2bdc79f3ba

View File

@ -864,11 +864,11 @@ class JobTemplateAccess(BaseAccess):
if self.user.is_superuser:
return qs
credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
base_qs = qs.filter(
Q(credential_id__in=credential_ids) | Q(credential__isnull=True),
Q(cloud_credential_id__in=credential_ids) | Q(cloud_credential__isnull=True),
)
# FIXME: Check active status on related objects!
org_admin_qs = base_qs.filter(
Q(project__organizations__admins__in=[self.user]) |
(Q(project__isnull=True) & Q(job_type=PERM_INVENTORY_SCAN) & Q(inventory__organization__admins__in=[self.user]))
@ -895,6 +895,7 @@ class JobTemplateAccess(BaseAccess):
inventory__permissions__in=deploy_permissions_ids,
project__permissions__in=deploy_permissions_ids,
inventory__permissions__pk=F('project__permissions__pk'),
inventory_id__in=inventory_ids,
)
perm_check_qs = base_qs.filter(
@ -902,23 +903,10 @@ class JobTemplateAccess(BaseAccess):
inventory__permissions__in=check_permissions_ids,
project__permissions__in=check_permissions_ids,
inventory__permissions__pk=F('project__permissions__pk'),
inventory_id__in=inventory_ids,
)
perm_inventory_read_user_qs = qs.filter(
inventory__permissions__user__in=[self.user],
inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
inventory__permissions__active=True)
perm_inventory_read_team_qs = qs.filter(
inventory__permissions__team__users__in=[self.user],
inventory__permissions__team__active=True,
inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
inventory__permissions__active=True)
perm_inventory = perm_inventory_read_user_qs | perm_inventory_read_team_qs
# FIXME: I *think* this should work... needs more testing.
return org_admin_qs | (perm_deploy_qs & perm_inventory) | (perm_check_qs & perm_inventory)
return org_admin_qs | perm_deploy_qs | perm_check_qs
def can_read(self, obj):
# you can only see the job templates that you have permission to launch.