Merge pull request #4379 from AlanCoding/node_exec_rbac

Check for UJT start access when adding node

awx/main/access.py

@@ -1362,7 +1362,6 @@ class SystemJobAccess(BaseAccess):
         return False # no relaunching of system jobs
 
 
-# TODO:
 class WorkflowJobTemplateNodeAccess(BaseAccess):
     '''
     I can see/use a WorkflowJobTemplateNode if I have read permission
@@ -1409,6 +1408,8 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
             return True
         if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True):
             return False
+        if not self.check_related('unified_job_template', UnifiedJobTemplate, data):
+            return False
         if not self.can_use_prompted_resources(data):
             return False
         return True

awx/main/tests/functional/test_rbac_workflow.py

@@ -55,6 +55,21 @@ class TestWorkflowJobTemplateNodeAccess:
         access = WorkflowJobTemplateNodeAccess(org_admin)
         assert not access.can_change(wfjt_node, {'job_type': 'scan'})
 
+    def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
+        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobTemplateAccess(rando)
+        job_template.read_role.members.add(rando)
+        assert not access.can_add({
+            'workflow_job_template': wfjt.pk,
+            'unified_job_template': job_template.pk})
+
+    def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
+        wfjt = wfjt_node.workflow_job_template
+        wfjt.admin_role.members.add(rando)
+        wfjt_node.unified_job_template = job_template
+        access = WorkflowJobTemplateNodeAccess(rando)
+        assert access.can_delete(wfjt_node)
+
 
 @pytest.mark.django_db
 class TestWorkflowJobAccess: