From c7bedcb00413ca42a29a1de8d1a28f78652af203 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Fri, 1 Jul 2016 09:51:26 -0400 Subject: [PATCH] Do not allow creating proejcts as foreign org admin --- awx/main/access.py | 5 +++-- awx/main/tests/functional/test_rbac_project.py | 8 ++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index 624d8945d2..d60ffe8999 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -706,8 +706,9 @@ class ProjectAccess(BaseAccess): @check_superuser def can_add(self, data): - qs = Organization.accessible_objects(self.user, 'admin_role') - return qs.exists() + organization_pk = get_pk_from_dict(data, 'organization') + org = get_object_or_400(Organization, pk=organization_pk) + return self.user in org.admin_role @check_superuser def can_change(self, obj, data): diff --git a/awx/main/tests/functional/test_rbac_project.py b/awx/main/tests/functional/test_rbac_project.py index a225154d21..ba88226b2e 100644 --- a/awx/main/tests/functional/test_rbac_project.py +++ b/awx/main/tests/functional/test_rbac_project.py @@ -2,6 +2,7 @@ import pytest from awx.main.migrations import _rbac as rbac from awx.main.models import Role, Permission, Project, Organization, Credential, JobTemplate, Inventory +from awx.main.access import ProjectAccess from django.apps import apps from awx.main.migrations import _old_access as old_access @@ -209,3 +210,10 @@ def test_project_explicit_permission(user, team, project, organization): rbac.migrate_projects(apps, None) assert u in project.read_role + +@pytest.mark.django_db +def test_create_project_foreign_org_admin(org_admin, organization, organization_factory): + """Org admins can only create projects in their own org.""" + other_org = organization_factory('not-my-org').organization + access = ProjectAccess(org_admin) + assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'})