Fixes RBAC issue, ensures can admin of sub_obj when needed

2024-11-02 09:51:09 +03:00 · 2018-04-02 14:10:14 -04:00 · 2018-04-02 14:10:14 -04:00 · ea7a0b2f58
commit ea7a0b2f58
parent 8ad9d07896
2 changed files with 15 additions and 0 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -2523,6 +2523,10 @@ class RoleAccess(BaseAccess):
            if not check_user_access(self.user, sub_obj_resource.__class__, 'read', sub_obj_resource):
                return False

+        if isinstance(obj.content_object, Organization) and obj.role_field == 'member_role':
+            if not UserAccess(self.user).can_admin(sub_obj, data):
+                return False
+
        if isinstance(obj.content_object, ResourceMixin) and \
           self.user in obj.content_object.admin_role:
            return True
--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@ -50,3 +50,14 @@ def test_visible_roles(admin_user, system_auditor, rando, organization, project)
    assert rando not in project.admin_role
    assert access.can_read(project.admin_role)
    assert project.admin_role in Role.visible_roles(rando)
+
+
+@pytest.mark.django_db
+def test_org_user_role_attach(user, organization):
+    admin = user('admin')
+    nonmember = user('nonmember')
+
+    organization.admin_role.members.add(admin)
+
+    access = RoleAccess(admin)
+    assert not access.can_attach(organization.member_role, nonmember, 'members', None)