mirror of
https://github.com/ansible/awx.git
synced 2024-11-01 08:21:15 +03:00
Merge pull request #4379 from AlanCoding/node_exec_rbac
Check for UJT start access when adding node
This commit is contained in:
commit
5ee11b5ba3
@ -1362,7 +1362,6 @@ class SystemJobAccess(BaseAccess):
|
||||
return False # no relaunching of system jobs
|
||||
|
||||
|
||||
# TODO:
|
||||
class WorkflowJobTemplateNodeAccess(BaseAccess):
|
||||
'''
|
||||
I can see/use a WorkflowJobTemplateNode if I have read permission
|
||||
@ -1409,6 +1408,8 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
|
||||
return True
|
||||
if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True):
|
||||
return False
|
||||
if not self.check_related('unified_job_template', UnifiedJobTemplate, data):
|
||||
return False
|
||||
if not self.can_use_prompted_resources(data):
|
||||
return False
|
||||
return True
|
||||
|
@ -55,6 +55,21 @@ class TestWorkflowJobTemplateNodeAccess:
|
||||
access = WorkflowJobTemplateNodeAccess(org_admin)
|
||||
assert not access.can_change(wfjt_node, {'job_type': 'scan'})
|
||||
|
||||
def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
|
||||
wfjt.admin_role.members.add(rando)
|
||||
access = WorkflowJobTemplateAccess(rando)
|
||||
job_template.read_role.members.add(rando)
|
||||
assert not access.can_add({
|
||||
'workflow_job_template': wfjt.pk,
|
||||
'unified_job_template': job_template.pk})
|
||||
|
||||
def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
|
||||
wfjt = wfjt_node.workflow_job_template
|
||||
wfjt.admin_role.members.add(rando)
|
||||
wfjt_node.unified_job_template = job_template
|
||||
access = WorkflowJobTemplateNodeAccess(rando)
|
||||
assert access.can_delete(wfjt_node)
|
||||
|
||||
|
||||
@pytest.mark.django_db
|
||||
class TestWorkflowJobAccess:
|
||||
|
Loading…
Reference in New Issue
Block a user