check for UJT start access when adding node

2024-11-01 08:21:15 +03:00 · 2016-12-10 07:46:30 -05:00 · 2016-12-10 07:46:30 -05:00 · c3666752e6
commit c3666752e6
parent 75a85cdab2
2 changed files with 17 additions and 1 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -1362,7 +1362,6 @@ class SystemJobAccess(BaseAccess):
        return False # no relaunching of system jobs


-# TODO:
 class WorkflowJobTemplateNodeAccess(BaseAccess):
    '''
    I can see/use a WorkflowJobTemplateNode if I have read permission
@ -1409,6 +1408,8 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
            return True
        if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True):
            return False
+        if not self.check_related('unified_job_template', UnifiedJobTemplate, data):
+            return False
        if not self.can_use_prompted_resources(data):
            return False
        return True
--- a/awx/main/tests/functional/test_rbac_workflow.py
+++ b/awx/main/tests/functional/test_rbac_workflow.py
@ -55,6 +55,21 @@ class TestWorkflowJobTemplateNodeAccess:
        access = WorkflowJobTemplateNodeAccess(org_admin)
        assert not access.can_change(wfjt_node, {'job_type': 'scan'})

+    def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
+        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobTemplateAccess(rando)
+        job_template.read_role.members.add(rando)
+        assert not access.can_add({
+            'workflow_job_template': wfjt.pk,
+            'unified_job_template': job_template.pk})
+
+    def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
+        wfjt = wfjt_node.workflow_job_template
+        wfjt.admin_role.members.add(rando)
+        wfjt_node.unified_job_template = job_template
+        access = WorkflowJobTemplateNodeAccess(rando)
+        assert access.can_delete(wfjt_node)
+

@pytest.mark.django_db
 class TestWorkflowJobAccess: