1
0
mirror of https://github.com/ansible/awx.git synced 2024-11-01 08:21:15 +03:00

prevent non-superusers from adding orphan users

This commit is contained in:
Wayne Witzel III 2016-08-18 09:55:20 -04:00
parent 19fbe4b7fd
commit cef7f5a165
2 changed files with 9 additions and 1 deletions

View File

@ -19,7 +19,7 @@ from awx.main.utils import get_object_or_400
logger = logging.getLogger('awx.api.permissions') logger = logging.getLogger('awx.api.permissions')
__all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission', __all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission',
'TaskPermission', 'ProjectUpdatePermission'] 'TaskPermission', 'ProjectUpdatePermission', 'UserPermission']
class ModelAccessPermission(permissions.BasePermission): class ModelAccessPermission(permissions.BasePermission):
''' '''
@ -202,3 +202,10 @@ class ProjectUpdatePermission(ModelAccessPermission):
def check_post_permissions(self, request, view, obj=None): def check_post_permissions(self, request, view, obj=None):
project = get_object_or_400(view.model, pk=view.kwargs['pk']) project = get_object_or_400(view.model, pk=view.kwargs['pk'])
return check_user_access(request.user, view.model, 'start', project) return check_user_access(request.user, view.model, 'start', project)
class UserPermission(ModelAccessPermission):
def check_post_permissions(self, request, view, obj=None):
if request.user.is_superuser:
return True
raise PermissionDenied()

View File

@ -1152,6 +1152,7 @@ class UserList(ListCreateAPIView):
model = User model = User
serializer_class = UserSerializer serializer_class = UserSerializer
permission_classes = (UserPermission,)
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
ret = super(UserList, self).post( request, *args, **kwargs) ret = super(UserList, self).post( request, *args, **kwargs)