1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 23:51:09 +03:00

Address PR feedback

This commit is contained in:
Wayne Witzel III 2018-02-14 22:06:10 +00:00
parent 13e777f01b
commit 30a5617825
4 changed files with 26 additions and 14 deletions

View File

@ -660,7 +660,7 @@ class InventoryAccess(BaseAccess):
# Verify that the user has access to the new organization if moving an
# inventory to a new organization. Otherwise, just check for admin permission.
return (
self.check_related('organization', Organization, data, obj=obj,
self.check_related('organization', Organization, data, obj=obj, role_field='inventory_admin_role',
mandatory=org_admin_mandatory) and
self.user in obj.admin_role
)
@ -985,7 +985,8 @@ class CredentialAccess(BaseAccess):
return check_user_access(self.user, Team, 'change', team_obj, None)
if data and data.get('organization', None):
organization_obj = get_object_from_data('organization', Organization, data)
return check_user_access(self.user, Organization, 'change', organization_obj, None)
return any([check_user_access(self.user, Organization, 'change', organization_obj, None),
self.user in organization_obj.credential_admin_role])
return False
@check_superuser
@ -1098,7 +1099,7 @@ class ProjectAccess(BaseAccess):
@check_superuser
def can_change(self, obj, data):
if not self.check_related('organization', Organization, data, obj=obj):
if not self.check_related('organization', Organization, data, obj=obj, role_field='project_admin_role'):
return False
return self.user in obj.admin_role
@ -1439,7 +1440,7 @@ class JobAccess(BaseAccess):
elif not jt_access:
return False
org_access = obj.inventory and self.user in obj.inventory.organization.admin_role
org_access = obj.inventory and self.user in obj.inventory.organization.inventory_admin_role
project_access = obj.project is None or self.user in obj.project.admin_role
credential_access = all([self.user in cred.use_role for cred in obj.credentials.all()])
@ -2218,8 +2219,7 @@ class NotificationTemplateAccess(BaseAccess):
def filtered_queryset(self):
return self.model.objects.filter(
Q(organization__in=Organization.objects.filter(notification_admin_role__members=self.user)) |
Q(organization__in=self.user.admin_of_organizations) |
Q(organization__in=Organization.accessible_objects(self.user, 'notification_admin_role')) |
Q(organization__in=self.user.auditor_of_organizations)
).distinct()
@ -2266,8 +2266,7 @@ class NotificationAccess(BaseAccess):
def filtered_queryset(self):
return self.model.objects.filter(
Q(notification_template__organization__in=Organization.objects.filter(notification_admin_role__members=self.user)) |
Q(notification_template__organization__in=self.user.admin_of_organizations) |
Q(notification_template__organization__in=Organization.accessible_objects(self.user, 'notification_admin_role')) |
Q(notification_template__organization__in=self.user.auditor_of_organizations)
).distinct()

View File

@ -11,7 +11,7 @@ import django.db.models.deletion
class Migration(migrations.Migration):
dependencies = [
('main', '0019_v330_custom_virtualenv'),
('main', '0020_v330_instancegroup_policies'),
]
operations = [

View File

@ -10,7 +10,7 @@ from awx.main.migrations import _migration_utils as migration_utils
class Migration(ActivityStreamDisabledMigration):
dependencies = [
('main', '0020_v330_declare_new_rbac_roles'),
('main', '0021_v330_declare_new_rbac_roles'),
]
operations = [

View File

@ -61,7 +61,10 @@ role_descriptions = {
'workflow_admin_role': _('Can manage all workflows of the %s'),
'notification_admin_role': _('Can manage all notifications of the %s'),
'auditor_role': _('Can view all settings for the %s'),
'execute_role': _('May run the %s'),
'execute_role': {
'organization': _('May run any executable resources in the organization'),
'default': _('May run the %s'),
},
'member_role': _('User is a member of the %s'),
'read_role': _('May view settings for the %s'),
'update_role': _('May update project or inventory or group using the configured source update system'),
@ -180,12 +183,22 @@ class Role(models.Model):
global role_descriptions
description = role_descriptions[self.role_field]
content_type = self.content_type
if '%s' in description and content_type:
model_name = None
if content_type:
model = content_type.model_class()
model_name = re.sub(r'([a-z])([A-Z])', r'\1 \2', model.__name__).lower()
description = description % model_name
return description
value = description
if type(description) == dict:
value = description.get(model_name)
if value is None:
value = description.get('default')
if '%s' in value and content_type:
value = value % model_name
return value
@staticmethod
def rebuild_role_ancestor_list(additions, removals):