From c3666752e6a73f1cd82f149a828095cc7af46200 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Sat, 10 Dec 2016 07:46:30 -0500 Subject: [PATCH] check for UJT start access when adding node --- awx/main/access.py | 3 ++- awx/main/tests/functional/test_rbac_workflow.py | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/awx/main/access.py b/awx/main/access.py index b1e9beebc6..5551e35dc6 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1362,7 +1362,6 @@ class SystemJobAccess(BaseAccess): return False # no relaunching of system jobs -# TODO: class WorkflowJobTemplateNodeAccess(BaseAccess): ''' I can see/use a WorkflowJobTemplateNode if I have read permission @@ -1409,6 +1408,8 @@ class WorkflowJobTemplateNodeAccess(BaseAccess): return True if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True): return False + if not self.check_related('unified_job_template', UnifiedJobTemplate, data): + return False if not self.can_use_prompted_resources(data): return False return True diff --git a/awx/main/tests/functional/test_rbac_workflow.py b/awx/main/tests/functional/test_rbac_workflow.py index 80eae5af8b..3b8e8f4862 100644 --- a/awx/main/tests/functional/test_rbac_workflow.py +++ b/awx/main/tests/functional/test_rbac_workflow.py @@ -55,6 +55,21 @@ class TestWorkflowJobTemplateNodeAccess: access = WorkflowJobTemplateNodeAccess(org_admin) assert not access.can_change(wfjt_node, {'job_type': 'scan'}) + def test_add_JT_no_start_perm(self, wfjt, job_template, rando): + wfjt.admin_role.members.add(rando) + access = WorkflowJobTemplateAccess(rando) + job_template.read_role.members.add(rando) + assert not access.can_add({ + 'workflow_job_template': wfjt.pk, + 'unified_job_template': job_template.pk}) + + def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando): + wfjt = wfjt_node.workflow_job_template + wfjt.admin_role.members.add(rando) + wfjt_node.unified_job_template = job_template + access = WorkflowJobTemplateNodeAccess(rando) + assert access.can_delete(wfjt_node) + @pytest.mark.django_db class TestWorkflowJobAccess: