mirror of
https://github.com/ansible/awx.git
synced 2024-11-01 08:21:15 +03:00
Handle cascading mark inactive in better ways as per rbac spec
specifically around Teams and Credentials
This commit is contained in:
parent
20d76bfc91
commit
695df551e7
@ -258,8 +258,8 @@ class InventoryAccess(BaseAccess):
|
|||||||
qs = qs.select_related('created_by', 'organization')
|
qs = qs.select_related('created_by', 'organization')
|
||||||
if self.user.is_superuser:
|
if self.user.is_superuser:
|
||||||
return qs
|
return qs
|
||||||
admin_of = qs.filter(organization__admins__in=[self.user],
|
qs = qs.filter(organization__active=True)
|
||||||
organization__active=True).distinct()
|
admin_of = qs.filter(organization__admins__in=[self.user]).distinct()
|
||||||
has_user_perms = qs.filter(
|
has_user_perms = qs.filter(
|
||||||
permissions__user__in=[self.user],
|
permissions__user__in=[self.user],
|
||||||
permissions__permission_type__in=allowed,
|
permissions__permission_type__in=allowed,
|
||||||
|
@ -83,6 +83,13 @@ class Team(CommonModelNameNotUnique):
|
|||||||
def get_absolute_url(self):
|
def get_absolute_url(self):
|
||||||
return reverse('api:team_detail', args=(self.pk,))
|
return reverse('api:team_detail', args=(self.pk,))
|
||||||
|
|
||||||
|
def mark_inactive(self, save=True):
|
||||||
|
'''
|
||||||
|
When marking a team inactive we'll wipe out its credentials also
|
||||||
|
'''
|
||||||
|
for cred in self.credentials.all():
|
||||||
|
cred.mark_inactive()
|
||||||
|
super(Team, self).mark_inactive(save=save)
|
||||||
|
|
||||||
class Permission(CommonModelNameNotUnique):
|
class Permission(CommonModelNameNotUnique):
|
||||||
'''
|
'''
|
||||||
|
@ -46,8 +46,6 @@ HIDDEN_PASSWORD = '**********'
|
|||||||
|
|
||||||
logger = logging.getLogger('awx.main.tasks')
|
logger = logging.getLogger('awx.main.tasks')
|
||||||
|
|
||||||
# FIXME: Cleanly cancel task when celery worker is stopped.
|
|
||||||
|
|
||||||
@task()
|
@task()
|
||||||
def bulk_inventory_element_delete(inventory, hosts=[], groups=[]):
|
def bulk_inventory_element_delete(inventory, hosts=[], groups=[]):
|
||||||
from awx.main.signals import disable_activity_stream
|
from awx.main.signals import disable_activity_stream
|
||||||
|
@ -251,6 +251,23 @@ class BaseJobTestMixin(BaseTestMixin):
|
|||||||
self.team_ops_west.users.add(self.user_greg)
|
self.team_ops_west.users.add(self.user_greg)
|
||||||
self.team_ops_west.users.add(self.user_iris)
|
self.team_ops_west.users.add(self.user_iris)
|
||||||
|
|
||||||
|
# The south team is no longer active having been folded into the east team
|
||||||
|
self.team_ops_south = self.org_ops.teams.create(
|
||||||
|
name='southerners',
|
||||||
|
created_by=self.user_sue,
|
||||||
|
active=False,
|
||||||
|
)
|
||||||
|
self.team_ops_south.projects.add(self.proj_prod)
|
||||||
|
self.team_ops_south.users.add(self.user_greg)
|
||||||
|
|
||||||
|
# The north team is going to be deleted
|
||||||
|
self.team_ops_north = self.org_ops.teams.create(
|
||||||
|
name='northerners',
|
||||||
|
created_by=self.user_sue,
|
||||||
|
)
|
||||||
|
self.team_ops_north.projects.add(self.proj_prod)
|
||||||
|
self.team_ops_north.users.add(self.user_greg)
|
||||||
|
|
||||||
# Each user has his/her own set of credentials.
|
# Each user has his/her own set of credentials.
|
||||||
from awx.main.tests.tasks import (TEST_SSH_KEY_DATA,
|
from awx.main.tests.tasks import (TEST_SSH_KEY_DATA,
|
||||||
TEST_SSH_KEY_DATA_LOCKED,
|
TEST_SSH_KEY_DATA_LOCKED,
|
||||||
@ -312,6 +329,17 @@ class BaseJobTestMixin(BaseTestMixin):
|
|||||||
password='Heading270',
|
password='Heading270',
|
||||||
created_by = self.user_sue,
|
created_by = self.user_sue,
|
||||||
)
|
)
|
||||||
|
self.cred_ops_south = self.team_ops_south.credentials.create(
|
||||||
|
username='south',
|
||||||
|
password='Heading180',
|
||||||
|
created_by = self.user_sue,
|
||||||
|
)
|
||||||
|
|
||||||
|
self.cred_ops_north = self.team_ops_north.credentials.create(
|
||||||
|
username='north',
|
||||||
|
password='Heading0',
|
||||||
|
created_by = self.user_sue,
|
||||||
|
)
|
||||||
|
|
||||||
# FIXME: Define explicit permissions for tests.
|
# FIXME: Define explicit permissions for tests.
|
||||||
# other django user is on the project team and can deploy
|
# other django user is on the project team and can deploy
|
||||||
@ -502,6 +530,20 @@ class JobTemplateTest(BaseJobTestMixin, django.test.TestCase):
|
|||||||
|
|
||||||
# FIXME: Check with other credentials.
|
# FIXME: Check with other credentials.
|
||||||
|
|
||||||
|
def test_credentials_list(self):
|
||||||
|
url = reverse('api:credential_list')
|
||||||
|
# Greg can't see the 'south' credential because the 'southerns' team is inactive
|
||||||
|
with self.current_user(self.user_greg):
|
||||||
|
all_credentials = self.get(url, expect=200)
|
||||||
|
self.assertFalse('south' in [x['username'] for x in all_credentials['results']])
|
||||||
|
|
||||||
|
url2 = reverse('api:team_detail', args=(self.team_ops_north.id,))
|
||||||
|
# Sue shouldn't be able to see the north credential once deleting its team
|
||||||
|
with self.current_user(self.user_sue):
|
||||||
|
self.delete(url2, expect=204)
|
||||||
|
all_credentials = self.get(url, expect=200)
|
||||||
|
self.assertFalse('north' in [x['username'] for x in all_credentials['results']])
|
||||||
|
|
||||||
def test_post_job_template_list(self):
|
def test_post_job_template_list(self):
|
||||||
url = reverse('api:job_template_list')
|
url = reverse('api:job_template_list')
|
||||||
data = dict(
|
data = dict(
|
||||||
@ -686,6 +728,8 @@ class JobTest(BaseJobTestMixin, django.test.TestCase):
|
|||||||
with self.current_user(self.user_sue):
|
with self.current_user(self.user_sue):
|
||||||
response = self.post(url, data, expect=201)
|
response = self.post(url, data, expect=201)
|
||||||
|
|
||||||
|
# sue can't create a job when it is hidden due to inactive team
|
||||||
|
|
||||||
# FIXME: Check with other credentials and optional fields.
|
# FIXME: Check with other credentials and optional fields.
|
||||||
|
|
||||||
def test_get_job_detail(self):
|
def test_get_job_detail(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user