mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
Fixed AC-261. Relaxed permission requirements on parent object needed to view sublists.
This commit is contained in:
parent
9916a5eefb
commit
4aaeb9506f
@ -146,6 +146,7 @@ class UserAccess(BaseAccess):
|
||||
- I'm a superuser.
|
||||
- I'm that user.
|
||||
- I'm their org admin.
|
||||
- I'm in an org with that user.
|
||||
- I'm on a team with that user.
|
||||
I can change some fields for a user (mainly password) when I am that user.
|
||||
I can change all fields for a user (admin access) or delete when:
|
||||
@ -162,6 +163,7 @@ class UserAccess(BaseAccess):
|
||||
return qs.filter(
|
||||
Q(pk=self.user.pk) |
|
||||
Q(organizations__in=self.user.admin_of_organizations.all()) |
|
||||
Q(organizations__in=self.user.organizations.all()) |
|
||||
Q(teams__in=self.user.teams.all())
|
||||
).distinct()
|
||||
|
||||
@ -521,6 +523,7 @@ class ProjectAccess(BaseAccess):
|
||||
I can see projects when:
|
||||
- I am a superuser.
|
||||
- I am an admin in an organization associated with the project.
|
||||
- I am a user in an organization associated with the project.
|
||||
- I am on a team associated with the project.
|
||||
- I have been explicitly granted permission to run/check jobs using the
|
||||
project.
|
||||
@ -529,7 +532,6 @@ class ProjectAccess(BaseAccess):
|
||||
- I am a superuser.
|
||||
- I am an admin in an organization associated with the project.
|
||||
'''
|
||||
# FIXME: Also just a user of the org, or not?
|
||||
|
||||
model = Project
|
||||
|
||||
@ -541,6 +543,7 @@ class ProjectAccess(BaseAccess):
|
||||
return qs.filter(
|
||||
Q(created_by=self.user) |
|
||||
Q(organizations__admins__in=[self.user]) |
|
||||
Q(organizations__users__in=[self.user]) |
|
||||
Q(teams__users__in=[self.user]) |
|
||||
Q(permissions__user=self.user, permissions__permission_type__in=allowed) |
|
||||
Q(permissions__team__users__in=[self.user], permissions__permission_type__in=allowed)
|
||||
|
@ -59,7 +59,7 @@ class SubListAPIView(ListAPIView):
|
||||
# relationship = 'rel_name_from_parent_to_model'
|
||||
# And optionally (user must have given access permission on parent object
|
||||
# to view sublist):
|
||||
# parent_access = 'admin'
|
||||
# parent_access = 'read'
|
||||
|
||||
def get_description_vars(self):
|
||||
d = super(SubListAPIView, self).get_description_vars()
|
||||
@ -81,7 +81,7 @@ class SubListAPIView(ListAPIView):
|
||||
|
||||
def check_parent_access(self, parent=None):
|
||||
parent = parent or self.get_parent_object()
|
||||
parent_access = getattr(self, 'parent_access', 'admin')
|
||||
parent_access = getattr(self, 'parent_access', 'read')
|
||||
if parent_access in ('read', 'delete'):
|
||||
args = (self.parent_model, parent_access, parent)
|
||||
else:
|
||||
|
@ -42,11 +42,12 @@ class OrganizationsTest(BaseTest):
|
||||
# admin_user is an admin and regular user in all organizations
|
||||
# other_user is all organizations
|
||||
# normal_user is a user in organization 0, and an admin of organization 1
|
||||
# nobody_user is a user not a member of any organizations
|
||||
|
||||
for x in self.organizations:
|
||||
# NOTE: superuser does not have to be explicitly added to admin group
|
||||
# x.admins.add(self.super_django_user)
|
||||
x.admins.add(self.super_django_user)
|
||||
x.users.add(self.super_django_user)
|
||||
x.users.add(self.other_django_user)
|
||||
|
||||
self.organizations[0].users.add(self.normal_django_user)
|
||||
self.organizations[1].admins.add(self.normal_django_user)
|
||||
@ -91,6 +92,11 @@ class OrganizationsTest(BaseTest):
|
||||
|
||||
# no admin rights? get empty list
|
||||
with self.current_user(self.other_django_user):
|
||||
response = self.get(url, expect=200)
|
||||
self.check_pagination_and_size(response, self.other_django_user.organizations.count(), previous=None, next=None)
|
||||
|
||||
# not a member of any orgs? get empty list
|
||||
with self.current_user(self.nobody_django_user):
|
||||
response = self.get(url, expect=200)
|
||||
self.check_pagination_and_size(response, 0, previous=None, next=None)
|
||||
|
||||
@ -112,8 +118,11 @@ class OrganizationsTest(BaseTest):
|
||||
data = self.get(urls[1], expect=200, auth=self.get_normal_credentials())
|
||||
data = self.get(urls[9], expect=403, auth=self.get_normal_credentials())
|
||||
|
||||
# other user isn't a user or admin of anything, and similarly can't get in
|
||||
data = self.get(urls[0], expect=403, auth=self.get_other_credentials())
|
||||
# other user is a member, but not admin, can access org
|
||||
data = self.get(urls[0], expect=200, auth=self.get_other_credentials())
|
||||
|
||||
# nobody user is not a member, cannot access org
|
||||
data = self.get(urls[0], expect=403, auth=self.get_nobody_credentials())
|
||||
|
||||
def test_get_item_subobjects_projects(self):
|
||||
|
||||
@ -128,20 +137,23 @@ class OrganizationsTest(BaseTest):
|
||||
self.get(projects0_url, expect=401, auth=None)
|
||||
self.get(projects0_url, expect=401, auth=self.get_invalid_credentials())
|
||||
|
||||
# normal user is just a member of the first org, but can't see any projects under the org
|
||||
projects0a = self.get(projects0_url, expect=403, auth=self.get_normal_credentials())
|
||||
# normal user is just a member of the first org, so can see all projects under the org
|
||||
projects0a = self.get(projects0_url, expect=200, auth=self.get_normal_credentials())
|
||||
|
||||
# however in the second org, he's an admin and should see all of them
|
||||
projects1a = self.get(projects1_url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEquals(projects1a['count'], 5)
|
||||
|
||||
# but the non-admin cannot access the list of projects in the org. He should use /projects/ instead!
|
||||
projects1b = self.get(projects1_url, expect=403, auth=self.get_other_credentials())
|
||||
projects1b = self.get(projects1_url, expect=200, auth=self.get_other_credentials())
|
||||
|
||||
# superuser should be able to read anything
|
||||
projects9a = self.get(projects9_url, expect=200, auth=self.get_super_credentials())
|
||||
self.assertEquals(projects9a['count'], 1)
|
||||
|
||||
# nobody user is not a member of any org, so can't see projects...
|
||||
projects0a = self.get(projects0_url, expect=403, auth=self.get_nobody_credentials())
|
||||
projects1a = self.get(projects1_url, expect=403, auth=self.get_nobody_credentials())
|
||||
|
||||
def test_get_item_subobjects_users(self):
|
||||
|
||||
@ -149,9 +161,11 @@ class OrganizationsTest(BaseTest):
|
||||
orgs = self.get(self.collection(), expect=200, auth=self.get_super_credentials())
|
||||
org1_users_url = orgs['results'][1]['related']['users']
|
||||
org1_users = self.get(org1_users_url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEquals(org1_users['count'], 1)
|
||||
self.assertEquals(org1_users['count'], 2)
|
||||
org1_users = self.get(org1_users_url, expect=200, auth=self.get_super_credentials())
|
||||
self.assertEquals(org1_users['count'], 1)
|
||||
self.assertEquals(org1_users['count'], 2)
|
||||
org1_users = self.get(org1_users_url, expect=200, auth=self.get_other_credentials())
|
||||
self.assertEquals(org1_users['count'], 2)
|
||||
|
||||
def test_get_item_subobjects_admins(self):
|
||||
|
||||
@ -159,9 +173,9 @@ class OrganizationsTest(BaseTest):
|
||||
orgs = self.get(self.collection(), expect=200, auth=self.get_super_credentials())
|
||||
org1_users_url = orgs['results'][1]['related']['admins']
|
||||
org1_users = self.get(org1_users_url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEquals(org1_users['count'], 1)
|
||||
self.assertEquals(org1_users['count'], 2)
|
||||
org1_users = self.get(org1_users_url, expect=200, auth=self.get_super_credentials())
|
||||
self.assertEquals(org1_users['count'], 1)
|
||||
self.assertEquals(org1_users['count'], 2)
|
||||
|
||||
def test_get_organization_inventories_list(self):
|
||||
pass
|
||||
@ -268,13 +282,13 @@ class OrganizationsTest(BaseTest):
|
||||
|
||||
url = reverse('main:organization_users_list', args=(self.organizations[1].pk,))
|
||||
users = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(users['count'], 1)
|
||||
self.assertEqual(users['count'], 2)
|
||||
self.post(url, dict(id=self.normal_django_user.pk), expect=204, auth=self.get_normal_credentials())
|
||||
users = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(users['count'], 2)
|
||||
self.assertEqual(users['count'], 3)
|
||||
self.post(url, dict(id=self.normal_django_user.pk, disassociate=True), expect=204, auth=self.get_normal_credentials())
|
||||
users = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(users['count'], 1)
|
||||
self.assertEqual(users['count'], 2)
|
||||
|
||||
# post a completely new user to verify we can add users to the subcollection directly
|
||||
new_user = dict(username='NewUser9000')
|
||||
@ -283,19 +297,19 @@ class OrganizationsTest(BaseTest):
|
||||
posted = self.post(url, new_user, expect=201, auth=self.get_normal_credentials())
|
||||
|
||||
all_users = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(all_users['count'], 2)
|
||||
self.assertEqual(all_users['count'], 3)
|
||||
|
||||
def test_post_item_subobjects_admins(self):
|
||||
|
||||
url = reverse('main:organization_admins_list', args=(self.organizations[1].pk,))
|
||||
admins = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(admins['count'], 1)
|
||||
self.post(url, dict(id=self.super_django_user.pk), expect=204, auth=self.get_normal_credentials())
|
||||
self.assertEqual(admins['count'], 2)
|
||||
self.post(url, dict(id=self.other_django_user.pk), expect=204, auth=self.get_normal_credentials())
|
||||
admins = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(admins['count'], 3)
|
||||
self.post(url, dict(id=self.other_django_user.pk, disassociate=1), expect=204, auth=self.get_normal_credentials())
|
||||
admins = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(admins['count'], 2)
|
||||
self.post(url, dict(id=self.super_django_user.pk, disassociate=1), expect=204, auth=self.get_normal_credentials())
|
||||
admins = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEqual(admins['count'], 1)
|
||||
|
||||
def _test_post_item_subobjects_tags(self):
|
||||
# FIXME: Update to support taggit!
|
||||
|
@ -333,7 +333,7 @@ class ProjectsTest(BaseTest):
|
||||
# =====================================================================
|
||||
# TEAM PROJECTS
|
||||
|
||||
team = Team.objects.filter(organization__pk=self.organizations[1].pk)[0]
|
||||
team = Team.objects.filter(active=True, organization__pk=self.organizations[1].pk)[0]
|
||||
team_projects = reverse('main:team_projects_list', args=(team.pk,))
|
||||
|
||||
p1 = self.projects[0]
|
||||
|
@ -146,7 +146,7 @@ class UsersTest(BaseTest):
|
||||
data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
|
||||
self.assertEquals(data2['count'], 2)
|
||||
data1 = self.get(url, expect=200, auth=self.get_other_credentials())
|
||||
self.assertEquals(data1['count'], 1)
|
||||
self.assertEquals(data1['count'], 2)
|
||||
|
||||
def test_super_user_can_delete_a_user_but_only_marked_inactive(self):
|
||||
user_pk = self.normal_django_user.pk
|
||||
@ -199,8 +199,10 @@ class UsersTest(BaseTest):
|
||||
# also accessible via superuser
|
||||
data = self.get(url, expect=200, auth=self.get_super_credentials())
|
||||
self.assertEquals(data['count'], 1)
|
||||
# but not by other user
|
||||
data = self.get(url, expect=403, auth=self.get_other_credentials())
|
||||
# and also by other user...
|
||||
data = self.get(url, expect=200, auth=self.get_other_credentials())
|
||||
# but not by nobody user
|
||||
data = self.get(url, expect=403, auth=self.get_nobody_credentials())
|
||||
|
||||
# organizations the user is an admin of, should be 1
|
||||
url = reverse('main:user_admin_of_organizations_list',
|
||||
@ -210,8 +212,10 @@ class UsersTest(BaseTest):
|
||||
# also accessible via superuser
|
||||
data = self.get(url, expect=200, auth=self.get_super_credentials())
|
||||
self.assertEquals(data['count'], 1)
|
||||
# but not by other user
|
||||
data = self.get(url, expect=403, auth=self.get_other_credentials())
|
||||
# and also by other user
|
||||
data = self.get(url, expect=200, auth=self.get_other_credentials())
|
||||
# but not by nobody user
|
||||
data = self.get(url, expect=403, auth=self.get_nobody_credentials())
|
||||
|
||||
# teams the user is on, should be 0
|
||||
url = reverse('main:user_teams_list', args=(self.normal_django_user.pk,))
|
||||
@ -220,8 +224,10 @@ class UsersTest(BaseTest):
|
||||
# also accessible via superuser
|
||||
data = self.get(url, expect=200, auth=self.get_super_credentials())
|
||||
self.assertEquals(data['count'], 0)
|
||||
# but not by other user
|
||||
data = self.get(url, expect=403, auth=self.get_other_credentials())
|
||||
# and also by other user
|
||||
data = self.get(url, expect=200, auth=self.get_other_credentials())
|
||||
# but not by nobody user
|
||||
data = self.get(url, expect=403, auth=self.get_nobody_credentials())
|
||||
|
||||
# verify org admin can still read other user data too
|
||||
url = reverse('main:user_organizations_list',
|
||||
|
@ -326,7 +326,6 @@ class UserTeamsList(SubListAPIView):
|
||||
serializer_class = TeamSerializer
|
||||
parent_model = User
|
||||
relationship = 'teams'
|
||||
parent_access = 'read'
|
||||
|
||||
class UserPermissionsList(SubListCreateAPIView):
|
||||
|
||||
@ -335,7 +334,6 @@ class UserPermissionsList(SubListCreateAPIView):
|
||||
parent_model = User
|
||||
relationship = 'permissions'
|
||||
parent_key = 'user'
|
||||
parent_access = 'read'
|
||||
|
||||
class UserProjectsList(SubListAPIView):
|
||||
|
||||
@ -343,7 +341,6 @@ class UserProjectsList(SubListAPIView):
|
||||
serializer_class = ProjectSerializer
|
||||
parent_model = User
|
||||
relationship = 'projects'
|
||||
parent_access = 'read'
|
||||
|
||||
def get_queryset(self):
|
||||
parent = self.get_parent_object()
|
||||
@ -358,7 +355,6 @@ class UserCredentialsList(SubListCreateAPIView):
|
||||
parent_model = User
|
||||
relationship = 'credentials'
|
||||
parent_key = 'user'
|
||||
parent_access = 'read'
|
||||
|
||||
class UserOrganizationsList(SubListAPIView):
|
||||
|
||||
@ -366,7 +362,6 @@ class UserOrganizationsList(SubListAPIView):
|
||||
serializer_class = OrganizationSerializer
|
||||
parent_model = User
|
||||
relationship = 'organizations'
|
||||
parent_access = 'read'
|
||||
|
||||
class UserAdminOfOrganizationsList(SubListAPIView):
|
||||
|
||||
@ -374,7 +369,6 @@ class UserAdminOfOrganizationsList(SubListAPIView):
|
||||
serializer_class = OrganizationSerializer
|
||||
parent_model = User
|
||||
relationship = 'admin_of_organizations'
|
||||
parent_access = 'read'
|
||||
|
||||
class UserDetail(RetrieveUpdateDestroyAPIView):
|
||||
|
||||
@ -439,7 +433,6 @@ class InventoryHostsList(SubListCreateAPIView):
|
||||
serializer_class = HostSerializer
|
||||
parent_model = Inventory
|
||||
relationship = 'hosts'
|
||||
parent_access = 'read'
|
||||
parent_key = 'inventory'
|
||||
|
||||
class HostGroupsList(SubListCreateAPIView):
|
||||
@ -449,7 +442,6 @@ class HostGroupsList(SubListCreateAPIView):
|
||||
serializer_class = GroupSerializer
|
||||
parent_model = Host
|
||||
relationship = 'groups'
|
||||
parent_access = 'read'
|
||||
|
||||
class HostAllGroupsList(SubListAPIView):
|
||||
''' the list of all groups of which the host is directly or indirectly a member '''
|
||||
@ -458,7 +450,6 @@ class HostAllGroupsList(SubListAPIView):
|
||||
serializer_class = GroupSerializer
|
||||
parent_model = Host
|
||||
relationship = 'groups'
|
||||
parent_access = 'read'
|
||||
|
||||
def get_queryset(self):
|
||||
parent = self.get_parent_object()
|
||||
@ -478,7 +469,6 @@ class GroupChildrenList(SubListCreateAPIView):
|
||||
serializer_class = GroupSerializer
|
||||
parent_model = Group
|
||||
relationship = 'children'
|
||||
parent_access = 'read'
|
||||
|
||||
class GroupHostsList(SubListCreateAPIView):
|
||||
''' the list of hosts directly below a group '''
|
||||
@ -487,7 +477,6 @@ class GroupHostsList(SubListCreateAPIView):
|
||||
serializer_class = HostSerializer
|
||||
parent_model = Group
|
||||
relationship = 'hosts'
|
||||
parent_access = 'read'
|
||||
|
||||
class GroupAllHostsList(SubListAPIView):
|
||||
''' the list of all hosts below a group, even including subgroups '''
|
||||
@ -496,7 +485,6 @@ class GroupAllHostsList(SubListAPIView):
|
||||
serializer_class = HostSerializer
|
||||
parent_model = Group
|
||||
relationship = 'hosts'
|
||||
parent_access = 'read'
|
||||
|
||||
def get_queryset(self):
|
||||
parent = self.get_parent_object()
|
||||
@ -516,7 +504,6 @@ class InventoryGroupsList(SubListCreateAPIView):
|
||||
serializer_class = GroupSerializer
|
||||
parent_model = Inventory
|
||||
relationship = 'groups'
|
||||
parent_access = 'read'
|
||||
parent_key = 'inventory'
|
||||
|
||||
class InventoryRootGroupsList(SubListCreateAPIView):
|
||||
@ -525,7 +512,6 @@ class InventoryRootGroupsList(SubListCreateAPIView):
|
||||
serializer_class = GroupSerializer
|
||||
parent_model = Inventory
|
||||
relationship = 'groups'
|
||||
parent_access = 'read'
|
||||
parent_key = 'inventory'
|
||||
|
||||
def get_queryset(self):
|
||||
@ -837,7 +823,6 @@ class BaseJobHostSummariesList(SubListAPIView):
|
||||
serializer_class = JobHostSummarySerializer
|
||||
parent_model = None # Subclasses must define this attribute.
|
||||
relationship = 'job_host_summaries'
|
||||
parent_access = 'read'
|
||||
|
||||
view_name = 'Job Host Summary List'
|
||||
|
||||
@ -892,7 +877,6 @@ class BaseJobEventsList(SubListAPIView):
|
||||
serializer_class = JobEventSerializer
|
||||
parent_model = None # Subclasses must define this attribute.
|
||||
relationship = 'job_events'
|
||||
parent_access = 'read'
|
||||
|
||||
class HostJobEventsList(BaseJobEventsList):
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user