From 6e52c2da501545e3b6e0152db9723b79f07f68aa Mon Sep 17 00:00:00 2001 From: Gabe Muniz Date: Fri, 31 Mar 2023 00:26:28 -0400 Subject: [PATCH] added more tests to verify fix --- awx/main/access.py | 6 +-- .../functional/test_rbac_job_templates.py | 47 +++++++++++++++++++ 2 files changed, 50 insertions(+), 3 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index 096a485f49d7..06f270701c8f 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1629,18 +1629,18 @@ def can_change(self, obj, data): return True data = dict(data) - if self.changes_are_non_sensitive(obj, data): return True - if not self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'): return False - for required_field, cls in (('inventory', Inventory), ('project', Project)): is_mandatory = True if not getattr(obj, '{}_id'.format(required_field)): is_mandatory = False if not self.check_related(required_field, cls, data, obj=obj, role_field='use_role', mandatory=is_mandatory): + if required_field in data: + new_obj = get_object_from_data(required_field, cls, data) + return self.user in new_obj.use_role and (self.user in obj.inventory.use_role or self.user in obj.project.use_role) return False return True diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py index bccec0a1c2e1..b92ccc4ad3ed 100644 --- a/awx/main/tests/functional/test_rbac_job_templates.py +++ b/awx/main/tests/functional/test_rbac_job_templates.py @@ -328,3 +328,50 @@ def test_inventory_read_transfer_indirect(self, patch): inv.save(update_fields=['organization']) assert admins[0] not in jt.read_role assert admins[1] in jt.read_role + + +@pytest.mark.django_db +def test_job_template_mixed_permission(rando, bob, project, inventory): + """The job template permissions are a bit tricky when it comes to jt admin and use permissions on related objects + This test tries to test different variation of use permissions + """ + # Create new inventory and projects to associate + job_template = JobTemplate.objects.create(name='test-jt', project=project, playbook='helloworld.yml', inventory=inventory, ask_credential_on_launch=True) + access = JobTemplateAccess(rando) + inv1 = Inventory.objects.create(name='test', organization=project.organization) + proj1 = Project.objects.create(name='new_proj', scm_type=project.scm_type, playbook_files=project.playbook_files, organization=project.organization) + proj2 = Project.objects.create(name='proj2', scm_type=project.scm_type, playbook_files=project.playbook_files, organization=project.organization) + + assert not access.can_change(job_template, {'project': proj1.pk}) + assert not access.can_change(job_template, {'inventory': inv1.pk}) + + # assign permissions to new project to associate and existing job template admin and inv use + proj1.use_role.members.add(rando) + job_template.admin_role.members.add(rando) + job_template.inventory.use_role.members.add(rando) + + assert not access.can_change(job_template, {'inventory': inv1.pk}) + assert access.can_change(job_template, {'project': proj1.pk}) + + # remove use perm on inventory and add use to associated project + job_template.inventory.use_role.members.remove(rando) + job_template.project.use_role.members.add(rando) + proj1.use_role.members.remove(rando) + inv1.use_role.members.add(rando) + + assert not access.can_change(job_template, {'project': proj2.pk}) + assert access.can_change(job_template, {'project': project.pk}) + assert access.can_change(job_template, {'inventory': inv1.pk}) + + # remove project and inventory permission + job_template.project.use_role.members.remove(rando) + job_template.update_fields(project=project) + job_template.inventory.use_role.members.remove(rando) + + assert not access.can_change(job_template, {'project': proj1.pk}) + assert not access.can_change(job_template, {'inventory': inv1.pk}) + + jt = JobTemplate.objects.create(name='test-jt', project=project, playbook='helloworld.yml', inventory=inventory, ask_credential_on_launch=True) + jt.admin_role.members.add(bob) + assert not access.can_change(jt, {'project': proj1.pk}) + assert not access.can_change(jt, {'inventory': inv1.pk})