mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
Proof of concept hacks for RolePermission elimination
This commit is contained in:
parent
872ce2f9e8
commit
6d34ca9d22
@ -183,6 +183,7 @@ class ImplicitRoleField(models.ForeignKey):
|
||||
role = Role_.objects.create(
|
||||
created=now(),
|
||||
modified=now(),
|
||||
role_field=self.name,
|
||||
name=self.role_name,
|
||||
description=self.role_description
|
||||
)
|
||||
@ -233,6 +234,7 @@ class ImplicitRoleField(models.ForeignKey):
|
||||
else:
|
||||
role = Role_.objects.create(created=now(),
|
||||
modified=now(),
|
||||
role_field=path,
|
||||
singleton_name=singleton_name,
|
||||
name=singleton_name,
|
||||
description=singleton_name)
|
||||
|
@ -31,29 +31,25 @@ class ResourceMixin(models.Model):
|
||||
performant to resolve the resource in question then call
|
||||
`myresource.get_permissions(user)`.
|
||||
'''
|
||||
return ResourceMixin._accessible_objects(cls, accessor, permissions)
|
||||
return ResourceMixin._accessible_objects(cls, accessor, role_name)
|
||||
|
||||
@staticmethod
|
||||
def _accessible_objects(cls, accessor, permissions):
|
||||
def _accessible_objects(cls, accessor, role_name):
|
||||
if type(accessor) == User:
|
||||
qs = cls.objects.filter(
|
||||
role_permissions__role__ancestors__members=accessor
|
||||
)
|
||||
kwargs = {}
|
||||
kwargs[role_name + '__ancestors__members'] = accessor
|
||||
qs = cls.objects.filter(**kwargs)
|
||||
elif type(accessor) == Role:
|
||||
qs = cls.objects.filter(
|
||||
role_permissions__role__ancestors=accessor
|
||||
)
|
||||
kwargs = {}
|
||||
kwargs[role_name + '__ancestors'] = accessor
|
||||
qs = cls.objects.filter(**kwargs)
|
||||
else:
|
||||
accessor_type = ContentType.objects.get_for_model(accessor)
|
||||
roles = Role.objects.filter(content_type__pk=accessor_type.id,
|
||||
object_id=accessor.id)
|
||||
qs = cls.objects.filter(
|
||||
role_permissions__role__ancestors__in=roles
|
||||
)
|
||||
|
||||
for perm in permissions:
|
||||
qs = qs.annotate(**{'max_' + perm: Max('role_permissions__' + perm)})
|
||||
qs = qs.filter(**{'max_' + perm: int(permissions[perm])})
|
||||
kwargs = {}
|
||||
kwargs[role_name + '__ancestors__in'] = roles
|
||||
qs = cls.objects.filter(**kwargs)
|
||||
|
||||
#return cls.objects.filter(resource__in=qs)
|
||||
return qs
|
||||
|
@ -77,6 +77,7 @@ class Role(CommonModelNameNotUnique):
|
||||
db_table = 'main_rbac_roles'
|
||||
|
||||
singleton_name = models.TextField(null=True, default=None, db_index=True, unique=True)
|
||||
role_field = models.TextField(null=False, default=None)
|
||||
parents = models.ManyToManyField('Role', related_name='children')
|
||||
implicit_parents = models.TextField(null=False, default='[]')
|
||||
ancestors = models.ManyToManyField('Role', related_name='descendents') # auto-generated by `rebuild_role_ancestor_list`
|
||||
|
@ -131,16 +131,10 @@ def create_user_role(instance, **kwargs):
|
||||
except Role.DoesNotExist:
|
||||
role = Role.objects.create(
|
||||
name = 'Owner',
|
||||
role_field='owner_role',
|
||||
content_object = instance,
|
||||
)
|
||||
role.members.add(instance)
|
||||
RolePermission.objects.create(
|
||||
role = role,
|
||||
resource = instance,
|
||||
auto_generated = True,
|
||||
create=1, read=1, write=1, delete=1, update=1,
|
||||
execute=1, scm_update=1, use=1,
|
||||
)
|
||||
|
||||
def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs):
|
||||
content_type = ContentType.objects.get_for_model(Organization)
|
||||
|
@ -9,8 +9,8 @@ from awx.main.models import (
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_auto_inheritance_by_children(organization, alice):
|
||||
A = Role.objects.create(name='A')
|
||||
B = Role.objects.create(name='B')
|
||||
A = Role.objects.create(name='A', role_field='')
|
||||
B = Role.objects.create(name='B', role_field='')
|
||||
A.members.add(alice)
|
||||
|
||||
assert alice not in organization.admin_role
|
||||
|
Loading…
Reference in New Issue
Block a user