mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
Merge pull request #355 from ansible/fix_ig_org_rbac
Ensure that only the super user can dis/associate IGs from Orgs
This commit is contained in:
commit
5d3bc95283
@ -510,6 +510,8 @@ class OrganizationAccess(BaseAccess):
|
||||
I can change or delete organizations when:
|
||||
- I am a superuser.
|
||||
- I'm an admin of that organization.
|
||||
I can associate/disassociate instance groups when:
|
||||
- I am a superuser.
|
||||
'''
|
||||
|
||||
model = Organization
|
||||
@ -541,7 +543,7 @@ class OrganizationAccess(BaseAccess):
|
||||
|
||||
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
|
||||
if relationship == "instance_groups":
|
||||
if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role:
|
||||
if self.user.is_superuser:
|
||||
return True
|
||||
return False
|
||||
return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
|
||||
|
@ -50,7 +50,7 @@ def test_ig_associability(organization, default_instance_group, admin, system_au
|
||||
organization.instance_groups.add(default_instance_group)
|
||||
|
||||
assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||
assert oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||
assert not oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||
assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||
assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user