1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 15:21:13 +03:00

Merge pull request #1514 from wwitzel3/rbac-bug-1477

RBAC JobTemplate / Job Access Updates
This commit is contained in:
Wayne Witzel III 2016-04-13 14:50:17 -04:00
commit 90f9e5185a

View File

@ -772,26 +772,14 @@ class JobTemplateAccess(BaseAccess):
# Super users can start any job
if self.user.is_superuser:
return True
# Check to make sure both the inventory and project exist
if obj.inventory is None:
return False
if obj.job_type == PERM_INVENTORY_SCAN:
if obj.project is None and obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}):
return True
if not obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}):
return False
if obj.project is None:
return False
# Scan job with default project, must have JT execute or be org admin
if obj.project is None and obj.inventory:
return (obj.accessible_by(self.user, {'execute': True}) or
obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS))
# Given explicit execute access to this JobTemplate
if obj.accessible_by(self.user, {'execute':True}):
return True
# If the user has admin access to the project they can start a job
if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
return True
return obj.inventory.accessible_by(self.user, {'read':True}) and obj.project.accessible_by(self.user, {'read':True})
return obj.accessible_by(self.user, {'execute':True})
def can_change(self, obj, data):
data_for_change = data
@ -867,14 +855,18 @@ class JobAccess(BaseAccess):
# A super user can relaunch a job
if self.user.is_superuser:
return True
# If a user can launch the job template then they can relaunch a job from that
# job template
has_perm = False
if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}):
has_perm = True
dep_access_inventory = obj.inventory.accessible_by(self.user, {'read':True})
dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True})
return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm
if obj.job_template is not None:
return obj.job_template.accessible_by(self.user, {'execute': True})
inventory_access = obj.inventory.accessible_by(self.user, {'use':True})
org_access = obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS)
project_access = obj.project is None or obj.project.accessible_by(self.user, ALL_PERMISSIONS)
return inventory_access and (org_access or project_access)
def can_cancel(self, obj):
return self.can_read(obj) and obj.can_cancel
@ -895,7 +887,7 @@ class SystemJobAccess(BaseAccess):
'''
model = SystemJob
class AdHocCommandAccess(BaseAccess):
class AdHocCommandAccess(BaseAccess):
'''
I can only see/run ad hoc commands when:
- I am a superuser.