shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-02 01:21:21 +03:00
Code Releases Activity

Fix user capabilities when MANAGE_ORGANIZATION_AUTH is disabled

Browse Source
This commit is contained in:
Wayne Witzel III 2018-03-19 15:14:08 -04:00
parent a9da494904
commit d5564e8d81
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
awx/main/access.py
View File

@ -335,6 +335,10 @@ class BaseAccess(object):
if display_method not in method_list: if display_method not in method_list:
continue continue
if not settings.MANAGE_ORGANIZATION_AUTH and isinstance(obj, (Team, User)):
user_capabilities[display_method] = self.user.is_superuser
continue
# Actions not possible for reason unrelated to RBAC # Actions not possible for reason unrelated to RBAC
# Cannot copy with validation errors, or update a manual group/project # Cannot copy with validation errors, or update a manual group/project
if display_method == 'copy' and isinstance(obj, JobTemplate): if display_method == 'copy' and isinstance(obj, JobTemplate):
@ -352,9 +356,6 @@ class BaseAccess(object):
# Connot copy manual project without errors # Connot copy manual project without errors
user_capabilities[display_method] = False user_capabilities[display_method] = False
continue continue
elif display_method == 'copy' and (isinstance(obj, Team) or isinstance(obj, User)):
user_capabilities[display_method] = False
continue
elif display_method in ['start', 'schedule'] and isinstance(obj, Group): # TODO: remove in 3.3 elif display_method in ['start', 'schedule'] and isinstance(obj, Group): # TODO: remove in 3.3
try: try:
if obj.deprecated_inventory_source and not obj.deprecated_inventory_source._can_update(): if obj.deprecated_inventory_source and not obj.deprecated_inventory_source._can_update():
@ -528,7 +529,7 @@ class UserAccess(BaseAccess):
@check_superuser @check_superuser
def can_admin(self, obj, data): def can_admin(self, obj, data):
if not settings.MANAGE_ORGANIZTION_AUTH: if not settings.MANAGE_ORGANIZATION_AUTH:
return False return False
return Organization.objects.filter(Q(member_role__members=obj) | Q(admin_role__members=obj), return Organization.objects.filter(Q(member_role__members=obj) | Q(admin_role__members=obj),
Q(admin_role__members=self.user)).exists() Q(admin_role__members=self.user)).exists()
@ -546,7 +547,7 @@ class UserAccess(BaseAccess):
return False return False
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs): def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
if not settings.MANAGE_ORGANIZTION_AUTH: if not settings.MANAGE_ORGANIZTAION_AUTH:
return False return False
# Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment. # Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment.
@ -556,7 +557,7 @@ class UserAccess(BaseAccess):
return super(UserAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs) return super(UserAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs): def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
if not settings.MANAGE_ORGANIZTION_AUTH: if not settings.MANAGE_ORGANIZATION_AUTH:
return False return False
if relationship == 'roles': if relationship == 'roles':