mirror of
https://github.com/ansible/awx.git
synced 2024-10-31 15:21:13 +03:00
Ensure that only the super user can dis/associate IGs from Orgs
This commit is contained in:
parent
e2d943fd1a
commit
d7fd3a467a
@ -510,6 +510,8 @@ class OrganizationAccess(BaseAccess):
|
|||||||
I can change or delete organizations when:
|
I can change or delete organizations when:
|
||||||
- I am a superuser.
|
- I am a superuser.
|
||||||
- I'm an admin of that organization.
|
- I'm an admin of that organization.
|
||||||
|
I can associate/disassociate instance groups when:
|
||||||
|
- I am a superuser.
|
||||||
'''
|
'''
|
||||||
|
|
||||||
model = Organization
|
model = Organization
|
||||||
@ -541,7 +543,7 @@ class OrganizationAccess(BaseAccess):
|
|||||||
|
|
||||||
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
|
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
|
||||||
if relationship == "instance_groups":
|
if relationship == "instance_groups":
|
||||||
if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role:
|
if self.user.is_superuser:
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
|
return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
|
||||||
|
@ -50,7 +50,7 @@ def test_ig_associability(organization, default_instance_group, admin, system_au
|
|||||||
organization.instance_groups.add(default_instance_group)
|
organization.instance_groups.add(default_instance_group)
|
||||||
|
|
||||||
assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||||
assert oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
assert not oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||||
assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||||
assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user