From d7fd3a467aecceff1aa18ed63420082e4c863c7e Mon Sep 17 00:00:00 2001 From: Matthew Jones Date: Tue, 29 Aug 2017 09:16:39 -0400 Subject: [PATCH] Ensure that only the super user can dis/associate IGs from Orgs --- awx/main/access.py | 4 +++- awx/main/tests/functional/test_rbac_instance_groups.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index badd3f415f..3c3a92884c 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -510,6 +510,8 @@ class OrganizationAccess(BaseAccess): I can change or delete organizations when: - I am a superuser. - I'm an admin of that organization. + I can associate/disassociate instance groups when: + - I am a superuser. ''' model = Organization @@ -541,7 +543,7 @@ class OrganizationAccess(BaseAccess): def can_attach(self, obj, sub_obj, relationship, *args, **kwargs): if relationship == "instance_groups": - if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role: + if self.user.is_superuser: return True return False return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs) diff --git a/awx/main/tests/functional/test_rbac_instance_groups.py b/awx/main/tests/functional/test_rbac_instance_groups.py index 07a6c32c9f..2021f537ca 100644 --- a/awx/main/tests/functional/test_rbac_instance_groups.py +++ b/awx/main/tests/functional/test_rbac_instance_groups.py @@ -50,7 +50,7 @@ def test_ig_associability(organization, default_instance_group, admin, system_au organization.instance_groups.add(default_instance_group) assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) - assert oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) + assert not oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)