From ed762fd4b6479fd51b74e46b05480f6f4749bfd2 Mon Sep 17 00:00:00 2001 From: AlanCoding Date: Thu, 7 Jun 2018 14:17:06 -0400 Subject: [PATCH] prohibit users without read_role from viewing copy endpoint --- awx/api/generics.py | 2 ++ awx/main/tests/functional/test_copy.py | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/awx/api/generics.py b/awx/api/generics.py index b0155e1429..67154ba786 100644 --- a/awx/api/generics.py +++ b/awx/api/generics.py @@ -929,6 +929,8 @@ class CopyAPIView(GenericAPIView): if get_request_version(request) < 2: return self.v1_not_allowed() obj = self.get_object() + if not request.user.can_access(obj.__class__, 'read', obj): + raise PermissionDenied() create_kwargs = self._build_create_dict(obj) for key in create_kwargs: create_kwargs[key] = getattr(create_kwargs[key], 'pk', None) or create_kwargs[key] diff --git a/awx/main/tests/functional/test_copy.py b/awx/main/tests/functional/test_copy.py index 99e123a8fa..0b651f59ca 100644 --- a/awx/main/tests/functional/test_copy.py +++ b/awx/main/tests/functional/test_copy.py @@ -170,7 +170,7 @@ def test_credential_copy(post, get, machine_credential, credentialtype_ssh, admi @pytest.mark.django_db def test_notification_template_copy(post, get, notification_template_with_encrypt, organization, alice): - #notification_template_with_encrypt.admin_role.members.add(alice) + notification_template_with_encrypt.organization.auditor_role.members.add(alice) assert get( reverse( 'api:notification_template_copy', kwargs={'pk': notification_template_with_encrypt.pk} @@ -197,6 +197,7 @@ def test_notification_template_copy(post, get, notification_template_with_encryp @pytest.mark.django_db def test_inventory_script_copy(post, get, inventory_script, organization, alice): + inventory_script.organization.auditor_role.members.add(alice) assert get( reverse('api:inventory_script_copy', kwargs={'pk': inventory_script.pk}), alice, expect=200 ).data['can_copy'] is False