check team permissions if attaching user roles

2024-11-01 16:51:11 +03:00 · 2016-06-13 12:34:10 -04:00 · 2016-06-13 12:34:10 -04:00 · c631761091
commit c631761091
parent b485b85076
3 changed files with 4 additions and 7 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -660,8 +660,9 @@ class TeamAccess(BaseAccess):
        return self.can_change(obj, None)

    def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
-        "Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment."
-        if relationship == 'member_role.children':
+        """Reverse obj and sub_obj, defer to RoleAccess if this is an assignment
+        of a resource role to the team."""
+        if isinstance(sub_obj, Role) and isinstance(sub_obj.content_object, ResourceMixin):
            role_access = RoleAccess(self.user)
            return role_access.can_attach(sub_obj, obj, 'member_role.parents',
                                          *args, **kwargs)
@ -669,7 +670,7 @@ class TeamAccess(BaseAccess):
                                                  *args, **kwargs)

    def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
-        if relationship == 'member_role.children':
+        if isinstance(sub_obj, Role) and isinstance(sub_obj.content_object, ResourceMixin):
            role_access = RoleAccess(self.user)
            return role_access.can_unattach(sub_obj, obj, 'member_role.parents',
                                            *args, **kwargs)
--- a/awx/main/tests/functional/api/test_create_attach_views.py
+++ b/awx/main/tests/functional/api/test_create_attach_views.py
@ -15,7 +15,6 @@ def test_user_role_view_access(rando, inventory, mocker, post):
    mock_access.can_attach.assert_called_once_with(
        inventory.admin_role, rando, 'members', data,
        skip_sub_obj_read_check=False)
-    assert rando not in inventory.admin_role

@pytest.mark.django_db
 def test_team_role_view_access(rando, team, inventory, mocker, post):
@ -30,7 +29,6 @@ def test_team_role_view_access(rando, team, inventory, mocker, post):
    mock_access.can_attach.assert_called_once_with(
        inventory.admin_role, team, 'member_role.parents', data,
        skip_sub_obj_read_check=False)
-    assert team not in inventory.admin_role

@pytest.mark.django_db
 def test_role_team_view_access(rando, team, inventory, mocker, post):
@ -45,4 +43,3 @@ def test_role_team_view_access(rando, team, inventory, mocker, post):
    mock_access.assert_called_once_with(
        inventory.admin_role, team, 'member_role.parents', data,
        skip_sub_obj_read_check=False)
-    assert team not in inventory.admin_role
--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@ -30,4 +30,3 @@ def test_role_access_attach(rando, inventory):
    inventory.read_role.members.add(rando)
    access = RoleAccess(rando)
    assert not access.can_attach(inventory.admin_role, rando, 'members', None)
-