1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 15:21:13 +03:00

Proof of concept hacks for RolePermission elimination

This commit is contained in:
Akita Noek 2016-04-15 10:03:50 -04:00
parent 872ce2f9e8
commit 6d34ca9d22
5 changed files with 17 additions and 24 deletions

View File

@ -183,6 +183,7 @@ class ImplicitRoleField(models.ForeignKey):
role = Role_.objects.create(
created=now(),
modified=now(),
role_field=self.name,
name=self.role_name,
description=self.role_description
)
@ -233,6 +234,7 @@ class ImplicitRoleField(models.ForeignKey):
else:
role = Role_.objects.create(created=now(),
modified=now(),
role_field=path,
singleton_name=singleton_name,
name=singleton_name,
description=singleton_name)

View File

@ -31,29 +31,25 @@ class ResourceMixin(models.Model):
performant to resolve the resource in question then call
`myresource.get_permissions(user)`.
'''
return ResourceMixin._accessible_objects(cls, accessor, permissions)
return ResourceMixin._accessible_objects(cls, accessor, role_name)
@staticmethod
def _accessible_objects(cls, accessor, permissions):
def _accessible_objects(cls, accessor, role_name):
if type(accessor) == User:
qs = cls.objects.filter(
role_permissions__role__ancestors__members=accessor
)
kwargs = {}
kwargs[role_name + '__ancestors__members'] = accessor
qs = cls.objects.filter(**kwargs)
elif type(accessor) == Role:
qs = cls.objects.filter(
role_permissions__role__ancestors=accessor
)
kwargs = {}
kwargs[role_name + '__ancestors'] = accessor
qs = cls.objects.filter(**kwargs)
else:
accessor_type = ContentType.objects.get_for_model(accessor)
roles = Role.objects.filter(content_type__pk=accessor_type.id,
object_id=accessor.id)
qs = cls.objects.filter(
role_permissions__role__ancestors__in=roles
)
for perm in permissions:
qs = qs.annotate(**{'max_' + perm: Max('role_permissions__' + perm)})
qs = qs.filter(**{'max_' + perm: int(permissions[perm])})
kwargs = {}
kwargs[role_name + '__ancestors__in'] = roles
qs = cls.objects.filter(**kwargs)
#return cls.objects.filter(resource__in=qs)
return qs

View File

@ -77,6 +77,7 @@ class Role(CommonModelNameNotUnique):
db_table = 'main_rbac_roles'
singleton_name = models.TextField(null=True, default=None, db_index=True, unique=True)
role_field = models.TextField(null=False, default=None)
parents = models.ManyToManyField('Role', related_name='children')
implicit_parents = models.TextField(null=False, default='[]')
ancestors = models.ManyToManyField('Role', related_name='descendents') # auto-generated by `rebuild_role_ancestor_list`

View File

@ -131,16 +131,10 @@ def create_user_role(instance, **kwargs):
except Role.DoesNotExist:
role = Role.objects.create(
name = 'Owner',
role_field='owner_role',
content_object = instance,
)
role.members.add(instance)
RolePermission.objects.create(
role = role,
resource = instance,
auto_generated = True,
create=1, read=1, write=1, delete=1, update=1,
execute=1, scm_update=1, use=1,
)
def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs):
content_type = ContentType.objects.get_for_model(Organization)

View File

@ -9,8 +9,8 @@ from awx.main.models import (
@pytest.mark.django_db
def test_auto_inheritance_by_children(organization, alice):
A = Role.objects.create(name='A')
B = Role.objects.create(name='B')
A = Role.objects.create(name='A', role_field='')
B = Role.objects.create(name='B', role_field='')
A.members.add(alice)
assert alice not in organization.admin_role