shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 08:21:15 +03:00
Code Releases Activity

restrict User.admin_role membership changes through RoleUsersList

Browse Source
This commit is contained in:
Wayne Witzel III 2016-07-29 09:42:04 -04:00
parent a431ac7854
commit 52865eea6a
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
awx/api/views.py
View File

@ -3653,6 +3653,15 @@ class RoleUsersList(SubListCreateAttachDetachAPIView):
if not sub_id: if not sub_id:
data = dict(msg="User 'id' field is missing.") data = dict(msg="User 'id' field is missing.")
return Response(data, status=status.HTTP_400_BAD_REQUEST) return Response(data, status=status.HTTP_400_BAD_REQUEST)
role = self.get_parent_object()
if role == self.request.user.admin_role:
raise PermissionDenied('You may not perform any action with your own admin_role.')
user_content_type = ContentType.objects.get_for_model(User)
if role.content_type == user_content_type:
raise PermissionDenied('You may not change the membership of a users admin_role')
return super(RoleUsersList, self).post(request, *args, **kwargs) return super(RoleUsersList, self).post(request, *args, **kwargs)