Skip to content

Commit

Permalink
Merge pull request ansible#9346 from rebeccahhh/ee-org-permissions
Browse files Browse the repository at this point in the history 
allow org members to add EEs to an org and superusers to change EEs in an org

Reviewed-by: Rebeccah Hunter <rhunter@redhat.com>
             https://github.com/rebeccahhh
  • Loading branch information
@softwarefactory-project-zuul
softwarefactory-project-zuul[bot] authored Feb 23, 2021
2 parents 4d2f53e + 02fe173 commit b42a39a
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 13 deletions.
1 change: 1 addition & 0 deletions awx/api/serializers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1362,6 +1362,7 @@ def validate(self, attrs):

class ExecutionEnvironmentSerializer(BaseSerializer):
show_capabilities = ['edit', 'delete']
managed_by_tower = serializers.ReadOnlyField()

class Meta:
model = ExecutionEnvironment
Expand Down
2 changes: 2 additions & 0 deletions awx/api/views/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -688,13 +688,15 @@ class TeamAccessList(ResourceAccessList):

class ExecutionEnvironmentList(ListCreateAPIView):

always_allow_superuser = False
model = models.ExecutionEnvironment
serializer_class = serializers.ExecutionEnvironmentSerializer
swagger_topic = "Execution Environments"


class ExecutionEnvironmentDetail(RetrieveUpdateDestroyAPIView):

always_allow_superuser = False
model = models.ExecutionEnvironment
serializer_class = serializers.ExecutionEnvironmentSerializer
swagger_topic = "Execution Environments"
Expand Down
25 changes: 13 additions & 12 deletions awx/main/access.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1325,31 +1325,32 @@ class ExecutionEnvironmentAccess(BaseAccess):

def filtered_queryset(self):
return ExecutionEnvironment.objects.filter(
Q(organization__in=Organization.accessible_pk_qs(self.user, 'execution_environment_admin_role')) |
Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) |
Q(organization__isnull=True)
).distinct()

@check_superuser
def can_add(self, data):
if not data: # So the browseable API will work
return Organization.accessible_objects(self.user, 'execution_environment_admin_role').exists()
return self.check_related('organization', Organization, data)
return self.check_related('organization', Organization, data, mandatory=True,
role_field='execution_environment_admin_role')

@check_superuser
def can_change(self, obj, data):
if obj.managed_by_tower:
raise PermissionDenied
if self.user.is_superuser:
return True
if obj and obj.organization_id is None:
raise PermissionDenied
if self.user not in obj.organization.execution_environment_admin_role:
raise PermissionDenied
org_pk = get_pk_from_dict(data, 'organization')
if obj and obj.organization_id != org_pk:
# Prevent moving an EE to a different organization, unless a superuser or admin on both orgs.
if obj.organization_id is None or org_pk is None:
raise PermissionDenied
if self.user not in Organization.objects.get(id=org_pk).execution_environment_admin_role:
raise PermissionDenied

return True
if data and 'organization' in data:
new_org = get_object_from_data('organization', Organization, data, obj=obj)
if not new_org or self.user not in new_org.execution_environment_admin_role:
return False
return self.check_related('organization', Organization, data, obj=obj, mandatory=True,
role_field='execution_environment_admin_role')

def can_delete(self, obj):
return self.can_change(obj, None)
Expand Down
20 changes: 20 additions & 0 deletions awx/main/migrations/0128_organiaztion_read_roles_ee_admin.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Generated by Django 2.2.16 on 2021-02-18 22:57

import awx.main.fields
from django.db import migrations
import django.db.models.deletion


class Migration(migrations.Migration):

dependencies = [
('main', '0127_reset_pod_spec_override'),
]

operations = [
migrations.AlterField(
model_name='organization',
name='read_role',
field=awx.main.fields.ImplicitRoleField(editable=False, null='True', on_delete=django.db.models.deletion.CASCADE, parent_role=['member_role', 'auditor_role', 'execute_role', 'project_admin_role', 'inventory_admin_role', 'workflow_admin_role', 'notification_admin_role', 'credential_admin_role', 'job_template_admin_role', 'approval_role', 'execution_environment_admin_role'], related_name='+', to='main.Role'),
),
]
3 changes: 2 additions & 1 deletion awx/main/models/organization.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,8 @@ class Meta:
'execute_role', 'project_admin_role',
'inventory_admin_role', 'workflow_admin_role',
'notification_admin_role', 'credential_admin_role',
'job_template_admin_role', 'approval_role',],
'job_template_admin_role', 'approval_role',
'execution_environment_admin_role',],
)
approval_role = ImplicitRoleField(
parent_role='admin_role',
Expand Down

0 comments on commit b42a39a

Please sign in to comment.