1
0
mirror of https://github.com/ansible/awx.git synced 2024-10-31 15:21:13 +03:00

Ensure that only the super user can dis/associate IGs from Orgs

This commit is contained in:
Matthew Jones 2017-08-29 09:16:39 -04:00
parent e2d943fd1a
commit d7fd3a467a
No known key found for this signature in database
GPG Key ID: 76A4C17A97590C1C
2 changed files with 4 additions and 2 deletions

View File

@ -510,6 +510,8 @@ class OrganizationAccess(BaseAccess):
I can change or delete organizations when: I can change or delete organizations when:
- I am a superuser. - I am a superuser.
- I'm an admin of that organization. - I'm an admin of that organization.
I can associate/disassociate instance groups when:
- I am a superuser.
''' '''
model = Organization model = Organization
@ -541,7 +543,7 @@ class OrganizationAccess(BaseAccess):
def can_attach(self, obj, sub_obj, relationship, *args, **kwargs): def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
if relationship == "instance_groups": if relationship == "instance_groups":
if self.user.can_access(type(sub_obj), "read", sub_obj) and self.user in obj.admin_role: if self.user.is_superuser:
return True return True
return False return False
return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs) return super(OrganizationAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)

View File

@ -50,7 +50,7 @@ def test_ig_associability(organization, default_instance_group, admin, system_au
organization.instance_groups.add(default_instance_group) organization.instance_groups.add(default_instance_group)
assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert admin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not oadmin_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not auditor_access.can_unattach(organization, default_instance_group, 'instance_groups', None)
assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None) assert not omember_access.can_unattach(organization, default_instance_group, 'instance_groups', None)