switch to single toggle and change name

2024-11-01 16:51:11 +03:00 · 2018-03-19 14:41:27 -04:00 · 2018-03-19 14:41:27 -04:00 · a9da494904
commit a9da494904
parent 771108e298
4 changed files with 41 additions and 40 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -352,6 +352,9 @@ class BaseAccess(object):
                # Connot copy manual project without errors
                user_capabilities[display_method] = False
                continue
+            elif display_method == 'copy' and (isinstance(obj, Team) or isinstance(obj, User)):
+                user_capabilities[display_method] = False
+                continue
            elif display_method in ['start', 'schedule'] and isinstance(obj, Group):  # TODO: remove in 3.3
                try:
                    if obj.deprecated_inventory_source and not obj.deprecated_inventory_source._can_update():
@ -505,9 +508,9 @@ class UserAccess(BaseAccess):
                return False
        if self.user.is_superuser:
            return True
-        if settings.ORGS_CAN_CREATE_USERS:
-            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return False
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
+        return Organization.accessible_objects(self.user, 'admin_role').exists()

    def can_change(self, obj, data):
        if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
@ -519,10 +522,14 @@ class UserAccess(BaseAccess):
        # A user can be changed if they are themselves, or by org admins or
        # superusers.  Change permission implies changing only certain fields
        # that a user should be able to edit for themselves.
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
        return bool(self.user == obj or self.can_admin(obj, data))

    @check_superuser
    def can_admin(self, obj, data):
+        if not settings.MANAGE_ORGANIZTION_AUTH:
+            return False
        return Organization.objects.filter(Q(member_role__members=obj) | Q(admin_role__members=obj),
                                           Q(admin_role__members=self.user)).exists()

@ -539,13 +546,19 @@ class UserAccess(BaseAccess):
        return False

    def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
-        "Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment."
+        if not settings.MANAGE_ORGANIZTION_AUTH:
+            return False
+
+        # Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment.
        if relationship == 'roles':
            role_access = RoleAccess(self.user)
            return role_access.can_attach(sub_obj, obj, 'members', *args, **kwargs)
        return super(UserAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)

    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if not settings.MANAGE_ORGANIZTION_AUTH:
+            return False
+
        if relationship == 'roles':
            role_access = RoleAccess(self.user)
            return role_access.can_unattach(sub_obj, obj, 'members', *args, **kwargs)
@ -1080,9 +1093,9 @@ class TeamAccess(BaseAccess):
    def can_add(self, data):
        if not data:  # So the browseable API will work
            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        if settings.ORGS_CAN_ASSIGN_USERS_TEAM:
-            return self.check_related('organization', Organization, data)
-        return False
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
+        return self.check_related('organization', Organization, data)

    def can_change(self, obj, data):
        # Prevent moving a team to a different organization.
@ -1091,6 +1104,8 @@ class TeamAccess(BaseAccess):
            raise PermissionDenied(_('Unable to change organization on a team.'))
        if self.user.is_superuser:
            return True
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
        return self.user in obj.admin_role

    def can_delete(self, obj):
@ -1099,6 +1114,8 @@ class TeamAccess(BaseAccess):
    def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
        """Reverse obj and sub_obj, defer to RoleAccess if this is an assignment
        of a resource role to the team."""
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
        if isinstance(sub_obj, Role):
            if sub_obj.content_object is None:
                raise PermissionDenied(_("The {} role cannot be assigned to a team").format(sub_obj.name))
@ -1111,22 +1128,20 @@ class TeamAccess(BaseAccess):
                                              *args, **kwargs)
        if self.user.is_superuser:
            return True
-
-        if settings.ORGS_CAN_ASSIGN_USERS_TEAM:
-            return super(TeamAccess, self).can_attach(obj, sub_obj, relationship,
-                                                      *args, **kwargs)
-        return False
+        return super(TeamAccess, self).can_attach(obj, sub_obj, relationship,
+                                                  *args, **kwargs)

    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
+
        if isinstance(sub_obj, Role):
            if isinstance(sub_obj.content_object, ResourceMixin):
                role_access = RoleAccess(self.user)
                return role_access.can_unattach(sub_obj, obj, 'member_role.parents',
                                                *args, **kwargs)
-        if settings.ORGS_CAN_ASSIGN_USERS_TEAM:
-            return super(TeamAccess, self).can_unattach(obj, sub_obj, relationship,
-                                                        *args, **kwargs)
-        return False
+        return super(TeamAccess, self).can_unattach(obj, sub_obj, relationship,
+                                                    *args, **kwargs)


 class ProjectAccess(BaseAccess):
@ -2484,7 +2499,7 @@ class RoleAccess(BaseAccess):
    @check_superuser
    def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
        if isinstance(obj.content_object, Team):
-            if not settings.ORGS_CAN_ASSIGN_USERS_TEAM:
+            if not settings.MANAGE_ORGANIZATION_AUTH:
                return False

        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents', 'parents']:
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@ -44,24 +44,11 @@ register(
 )

 register(
-    'ORGS_CAN_CREATE_USERS',
+    'MANAGE_ORGANIZATION_AUTH',
    field_class=fields.BooleanField,
-    label=_('Organization Admins can create users.'),
-    help_text=_('Enable Organizations to create users. You may want to '
-                'disable this if you populate your users from some external source '
-                'like LDAP or SAML.'),
-    category=_('System'),
-    category_slug='system',
-)
-
-register(
-    'ORGS_CAN_ASSIGN_USERS_TEAM',
-    field_class=fields.BooleanField,
-    label=_('Organization Admins can assign users to teams.'),
-    help_text=_('Enable Organizations to assign users to teams. You may want to '
-                'disable this if you populate your users from some external source '
-                'like LDAP or SAML. This will prevent team assignments for '
-                'Organization and Team admins.'),
+    label=_('Organizations Can Manage Users and Teams'),
+    help_text=_('Controls whether Orgainzations have the privileges to create and manage users and teams. '
+                'You may want to disable this ability if you are using an LDAP or SAML integration.'),
    category=_('System'),
    category_slug='system',
 )
@ -113,6 +100,7 @@ register(
    category_slug='system',
 )

+
 def _load_default_license_from_file():
    try:
        license_file = os.environ.get('AWX_LICENSE_FILE', '/etc/tower/license')
@ -124,6 +112,7 @@ def _load_default_license_from_file():
        logger.warning('Could not read license from "%s".', license_file, exc_info=True)
    return {}

+
 register(
    'LICENSE',
    field_class=fields.DictField,
@ -505,6 +494,7 @@ register(
    category_slug='logging',
 )

+
 def logging_validate(serializer, attrs):
    if not serializer.instance or \
            not hasattr(serializer.instance, 'LOG_AGGREGATOR_HOST') or \
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@ -945,8 +945,7 @@ FACT_CACHE_PORT = 6564

 # Note: This setting may be overridden by database settings.
 ORG_ADMINS_CAN_SEE_ALL_USERS = True
-ORGS_CAN_CREATE_USERS = True
-ORGS_CAN_ASSIGN_USERS_TEAM = True
+MANAGE_ORGANIZATION_AUTH = True

 # Note: This setting may be overridden by database settings.
 TOWER_ADMIN_ALERTS = True
--- a/awx/ui/client/src/configuration/system-form/sub-forms/system-misc.form.js
+++ b/awx/ui/client/src/configuration/system-form/sub-forms/system-misc.form.js
@ -21,10 +21,7 @@ export default ['i18n', function(i18n) {
            ORG_ADMINS_CAN_SEE_ALL_USERS: {
                type: 'toggleSwitch',
            },
-            ORGS_CAN_CREATE_USERS: {
-                type: 'toggleSwitch',
-            },
-            ORGS_CAN_ASSIGN_USERS_TEAM: {
+            MANAGE_ORGANIZATION_AUTH: {
                type: 'toggleSwitch',
            },
            SESSION_COOKIE_AGE: {