add can_read method to JobAccess

2024-11-02 09:51:09 +03:00 · 2016-10-13 15:18:29 -04:00 · 2016-10-13 15:18:29 -04:00 · 9a44dc4ba0
commit 9a44dc4ba0
parent d9ac461bb8
1 changed files with 17 additions and 6 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1168,6 +1168,22 @@ class JobAccess(BaseAccess):
            Q(inventory__organization__in=org_access_qs) |
            Q(project__organization__in=org_access_qs)).distinct()

+    def org_access(self, obj):
+        """
+        Via the organization of a related resource, user has a claim to org_admin access of this job
+        """
+        if obj.inventory and obj.inventory.organization and self.user in obj.inventory.organization.admin_role:
+            return True
+        elif obj.project and obj.project.organization and self.user in obj.project.organization.admin_role:
+            return True
+        return False
+
+    @check_superuser
+    def can_read(self, obj):
+        if obj.job_template and self.user in obj.job_template.read_role:
+            return True
+        return self.org_access(obj)
+
    def can_add(self, data):
        if not data:  # So the browseable API will work
            return True
@ -1196,12 +1212,7 @@ class JobAccess(BaseAccess):

    @check_superuser
    def can_delete(self, obj):
-        if obj.inventory is not None and self.user in obj.inventory.organization.admin_role:
-            return True
-        if (obj.project is not None and obj.project.organization is not None and
-                self.user in obj.project.organization.admin_role):
-            return True
-        return False
+        return self.org_access(obj)

    def can_start(self, obj, validate_license=True):
        if validate_license: