1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 15:21:13 +03:00

Merge pull request #355 from ansible/fix_ig_org_rbac

Ensure that only the super user can dis/associate IGs from Orgs
This commit is contained in:
Matthew Jones 2017-08-29 16:50:31 -04:00 committed by GitHub
commit 5d3bc95283
2 changed files with 4 additions and 2 deletions

View File

@ -510,6 +510,8 @@ class OrganizationAccess(BaseAccess):
I can change or delete organizations when:
- I am a superuser.
- I'm an admin of that organization.
I can associate/disassociate instance groups when:
- I am a superuser.
'''
model = Organization
@ -541,7 +543,7 @@ class OrganizationAccess(BaseAccess):
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
if relationship == "instance_groups":
if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role:
if self.user.is_superuser:
return True
return False
return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)

View File

@ -50,7 +50,7 @@ def test_ig_associability(organization, default_instance_group, admin, system_au
organization.instance_groups.add(default_instance_group)
assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert not oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)