1
0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 08:21:15 +03:00

Credential can_change updates for organization related field

This commit is contained in:
AlanCoding 2016-07-05 12:33:19 -04:00
parent ab0fd8ddb1
commit c21d560cfd
3 changed files with 54 additions and 7 deletions

View File

@ -611,10 +611,20 @@ class CredentialAccess(BaseAccess):
@check_superuser
def can_change(self, obj, data):
if data is not None:
keys = data.keys()
if 'user' in keys or 'team' in keys or 'organization' in keys:
if not self.can_add(data):
if not obj:
return False
# Check access to organizations
organization_pk = get_pk_from_dict(data, 'organization')
if organization_pk != getattr(obj, 'organization_id', None):
if organization_pk:
# admin permission to destination organization is mandatory
new_organization_obj = get_object_or_400(Organization, pk=organization_pk)
if self.user not in new_organization_obj.admin_role:
return False
# admin permission to existing organization is also mandatory
if obj.organization:
if self.user not in obj.organization.admin_role:
return False
if obj.organization:

View File

@ -159,8 +159,7 @@ def machine_credential():
@pytest.fixture
def org_credential(organization, credential):
credential.admin_role.parents.add(organization.admin_role)
return credential
return Credential.objects.create(kind='aws', name='test-cred', organization=organization)
@pytest.fixture
def inventory(organization):

View File

@ -112,7 +112,45 @@ def test_credential_access_admin(user, team, credential):
cred.save()
# should have can_change access as org-admin
assert access.can_change(credential, {'user': u.pk})
assert access.can_change(credential, {'description': 'New description.'})
@pytest.mark.django_db
def test_org_credential_access_member(alice, org_credential, credential):
org_credential.admin_role.members.add(alice)
credential.admin_role.members.add(alice)
access = CredentialAccess(alice)
# Alice should be able to PATCH if organization is not changed
assert access.can_change(org_credential, {
'description': 'New description.',
'organization': org_credential.organization.pk})
assert access.can_change(credential, {
'description': 'New description.',
'organization': None})
@pytest.mark.django_db
def test_credential_access_org_permissions(
org_admin, org_member, organization, org_credential, credential):
credential.admin_role.members.add(org_admin)
credential.admin_role.members.add(org_member)
org_credential.admin_role.members.add(org_member)
access = CredentialAccess(org_admin)
member_access = CredentialAccess(org_member)
# Org admin can move their own credential into their org
assert access.can_change(credential, {'organization': organization.pk})
# Org member can not
assert not member_access.can_change(credential, {
'organization': organization.pk})
# Org admin can remove a credential from their org
assert access.can_change(org_credential, {'organization': None})
# Org member can not
assert not member_access.can_change(org_credential, {'organization': None})
assert not member_access.can_change(org_credential, {
'user': org_member.pk, 'organization': None})
@pytest.mark.django_db
def test_cred_job_template_xfail(user, deploy_jobtemplate):