shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 08:21:15 +03:00
Code Releases Activity

also limit creation of system auditors to superusers

Browse Source 
squash
This commit is contained in:
AlanCoding 2016-07-27 16:54:50 -04:00
parent f53a1b8f6c
commit 945635eb70
2 changed files with 19 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
awx/main/access.py
View File

@ -245,16 +245,18 @@ class UserAccess(BaseAccess):
def can_add(self, data):
if data is not None and 'is_superuser' in data:
if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
return False
if self.user.is_superuser:
return True
return Organization.accessible_objects(self.user, 'admin_role').exists()
def can_change(self, obj, data):
if data is not None and 'is_superuser' in data:
if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
return False
# A user can be changed if they are themselves, or by org admins or
# superusers. Change permission implies changing only certain fields

13
awx/main/tests/functional/test_rbac_user.py
View File

@ -75,3 +75,16 @@ def test_org_user_removed(user, organization):
organization.member_role.members.remove(member)
assert admin not in member.admin_role
@pytest.mark.django_db
def test_org_admin_create_sys_auditor(org_admin):
access = UserAccess(org_admin)
assert not access.can_add(data=dict(
username='new_user', password="pa$$sowrd", email="asdf@redhat.com",
is_system_auditor='true'))
@pytest.mark.django_db
def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
organization.member_role.members.add(alice)
access = UserAccess(org_admin)
assert not access.can_change(obj=alice, data=dict(is_system_auditor='true'))