1
0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 08:21:15 +03:00

Merge pull request #4379 from AlanCoding/node_exec_rbac

Check for UJT start access when adding node
This commit is contained in:
Alan Rominger 2016-12-12 10:12:20 -05:00 committed by GitHub
commit 5ee11b5ba3
2 changed files with 17 additions and 1 deletions

View File

@ -1362,7 +1362,6 @@ class SystemJobAccess(BaseAccess):
return False # no relaunching of system jobs
# TODO:
class WorkflowJobTemplateNodeAccess(BaseAccess):
'''
I can see/use a WorkflowJobTemplateNode if I have read permission
@ -1409,6 +1408,8 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
return True
if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True):
return False
if not self.check_related('unified_job_template', UnifiedJobTemplate, data):
return False
if not self.can_use_prompted_resources(data):
return False
return True

View File

@ -55,6 +55,21 @@ class TestWorkflowJobTemplateNodeAccess:
access = WorkflowJobTemplateNodeAccess(org_admin)
assert not access.can_change(wfjt_node, {'job_type': 'scan'})
def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
wfjt.admin_role.members.add(rando)
access = WorkflowJobTemplateAccess(rando)
job_template.read_role.members.add(rando)
assert not access.can_add({
'workflow_job_template': wfjt.pk,
'unified_job_template': job_template.pk})
def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
wfjt = wfjt_node.workflow_job_template
wfjt.admin_role.members.add(rando)
wfjt_node.unified_job_template = job_template
access = WorkflowJobTemplateNodeAccess(rando)
assert access.can_delete(wfjt_node)
@pytest.mark.django_db
class TestWorkflowJobAccess: