shaba/awx
1
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2024-11-02 01:21:21 +03:00
Code Releases Activity

Ensure InventorySource access is checking against Inventory access properly

Browse Source
This commit is contained in:
Wayne Witzel III 2017-06-15 09:29:17 -04:00
parent a701ac7fd6
commit d8dfc7e97b
1 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
awx/main/access.py
View File

@ -784,8 +784,8 @@ class GroupAccess(BaseAccess):
class InventorySourceAccess(BaseAccess): class InventorySourceAccess(BaseAccess):
''' '''
I can see inventory sources whenever I can see their group or inventory. I can see inventory sources whenever I can see their inventory.
I can change inventory sources whenever I can change their group. I can change inventory sources whenever I can change their inventory.
''' '''
model = InventorySource model = InventorySource
@ -815,8 +815,15 @@ class InventorySourceAccess(BaseAccess):
inventory=data.get('inventory'), inventory=data.get('inventory'),
update_on_project_update=True, source='scm').exists()) update_on_project_update=True, source='scm').exists())
@check_superuser
def can_delete(self, obj):
if obj and obj.inventory:
return self.user.can_access(Inventory, 'admin', obj.inventory, None)
return False
@check_superuser
def can_change(self, obj, data): def can_change(self, obj, data):
# Checks for admin or change permission on group. # Checks for admin change permission on inventory.
if obj and obj.inventory: if obj and obj.inventory:
return ( return (
self.user.can_access(Inventory, 'change', obj.inventory, None) and self.user.can_access(Inventory, 'change', obj.inventory, None) and