mirror of
https://github.com/ansible/awx.git
synced 2024-11-01 08:21:15 +03:00
Credential can_change updates for organization related field
This commit is contained in:
parent
ab0fd8ddb1
commit
c21d560cfd
@ -611,10 +611,20 @@ class CredentialAccess(BaseAccess):
|
||||
|
||||
@check_superuser
|
||||
def can_change(self, obj, data):
|
||||
if data is not None:
|
||||
keys = data.keys()
|
||||
if 'user' in keys or 'team' in keys or 'organization' in keys:
|
||||
if not self.can_add(data):
|
||||
if not obj:
|
||||
return False
|
||||
|
||||
# Check access to organizations
|
||||
organization_pk = get_pk_from_dict(data, 'organization')
|
||||
if organization_pk != getattr(obj, 'organization_id', None):
|
||||
if organization_pk:
|
||||
# admin permission to destination organization is mandatory
|
||||
new_organization_obj = get_object_or_400(Organization, pk=organization_pk)
|
||||
if self.user not in new_organization_obj.admin_role:
|
||||
return False
|
||||
# admin permission to existing organization is also mandatory
|
||||
if obj.organization:
|
||||
if self.user not in obj.organization.admin_role:
|
||||
return False
|
||||
|
||||
if obj.organization:
|
||||
|
@ -159,8 +159,7 @@ def machine_credential():
|
||||
|
||||
@pytest.fixture
|
||||
def org_credential(organization, credential):
|
||||
credential.admin_role.parents.add(organization.admin_role)
|
||||
return credential
|
||||
return Credential.objects.create(kind='aws', name='test-cred', organization=organization)
|
||||
|
||||
@pytest.fixture
|
||||
def inventory(organization):
|
||||
|
@ -112,7 +112,45 @@ def test_credential_access_admin(user, team, credential):
|
||||
cred.save()
|
||||
|
||||
# should have can_change access as org-admin
|
||||
assert access.can_change(credential, {'user': u.pk})
|
||||
assert access.can_change(credential, {'description': 'New description.'})
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_org_credential_access_member(alice, org_credential, credential):
|
||||
org_credential.admin_role.members.add(alice)
|
||||
credential.admin_role.members.add(alice)
|
||||
|
||||
access = CredentialAccess(alice)
|
||||
|
||||
# Alice should be able to PATCH if organization is not changed
|
||||
assert access.can_change(org_credential, {
|
||||
'description': 'New description.',
|
||||
'organization': org_credential.organization.pk})
|
||||
assert access.can_change(credential, {
|
||||
'description': 'New description.',
|
||||
'organization': None})
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_credential_access_org_permissions(
|
||||
org_admin, org_member, organization, org_credential, credential):
|
||||
credential.admin_role.members.add(org_admin)
|
||||
credential.admin_role.members.add(org_member)
|
||||
org_credential.admin_role.members.add(org_member)
|
||||
|
||||
access = CredentialAccess(org_admin)
|
||||
member_access = CredentialAccess(org_member)
|
||||
|
||||
# Org admin can move their own credential into their org
|
||||
assert access.can_change(credential, {'organization': organization.pk})
|
||||
# Org member can not
|
||||
assert not member_access.can_change(credential, {
|
||||
'organization': organization.pk})
|
||||
|
||||
# Org admin can remove a credential from their org
|
||||
assert access.can_change(org_credential, {'organization': None})
|
||||
# Org member can not
|
||||
assert not member_access.can_change(org_credential, {'organization': None})
|
||||
assert not member_access.can_change(org_credential, {
|
||||
'user': org_member.pk, 'organization': None})
|
||||
|
||||
@pytest.mark.django_db
|
||||
def test_cred_job_template_xfail(user, deploy_jobtemplate):
|
||||
|
Loading…
Reference in New Issue
Block a user