1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 15:21:13 +03:00

Fix AC-293. Explicitly check for start/cancel permissions on job for access to job start/cancel views.

This commit is contained in:
Chris Church 2013-07-28 13:50:25 -04:00
parent 6f09299284
commit 4c2af3a879
2 changed files with 13 additions and 2 deletions

View File

@ -14,6 +14,7 @@ from rest_framework import permissions
# AWX
from awx.main.access import *
from awx.main.models import *
from awx.main.utils import get_object_or_400
logger = logging.getLogger('awx.main.permissions')
@ -34,7 +35,7 @@ class ModelAccessPermission(permissions.BasePermission):
def check_get_permissions(self, request, view, obj=None):
if hasattr(view, 'parent_model'):
parent_obj = view.parent_model.objects.get(pk=view.kwargs['pk'])
parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
if not check_user_access(request.user, view.parent_model, 'read',
parent_obj):
return False
@ -44,8 +45,16 @@ class ModelAccessPermission(permissions.BasePermission):
def check_post_permissions(self, request, view, obj=None):
if hasattr(view, 'parent_model'):
parent_obj = view.parent_model.objects.get(pk=view.kwargs['pk'])
parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
return True
elif getattr(view, 'is_job_start', False):
if not obj:
return True
return check_user_access(request.user, view.model, 'start', obj)
elif getattr(view, 'is_job_cancel', False):
if not obj:
return True
return check_user_access(request.user, view.model, 'cancel', obj)
else:
if obj:
return True

View File

@ -782,6 +782,7 @@ class JobDetail(RetrieveUpdateDestroyAPIView):
class JobStart(generics.GenericAPIView):
model = Job
is_job_start = True
def get(self, request, *args, **kwargs):
obj = self.get_object()
@ -807,6 +808,7 @@ class JobStart(generics.GenericAPIView):
class JobCancel(generics.GenericAPIView):
model = Job
is_job_cancel = True
def get(self, request, *args, **kwargs):
obj = self.get_object()