Skip to content

Commit

Permalink
Fix 500 error when ordinary user viewed system JTs (ansible#15465)
Browse files Browse the repository at this point in the history
  • Loading branch information
AlanCoding authored Aug 26, 2024
1 parent 7ed0eee commit f5760b1
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 13 deletions.
5 changes: 5 additions & 0 deletions awx/main/access.py
Original file line number Diff line number Diff line change
Expand Up @@ -1843,6 +1843,11 @@ class SystemJobTemplateAccess(BaseAccess):

model = SystemJobTemplate

def filtered_queryset(self):
if self.user.is_superuser or self.user.is_system_auditor:
return self.model.objects.all()
return self.model.objects.none()

@check_superuser
def can_start(self, obj, validate_license=True):
'''Only a superuser can start a job from a SystemJobTemplate'''
Expand Down
20 changes: 19 additions & 1 deletion awx/main/tests/functional/test_rbac_job.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

from rest_framework.exceptions import PermissionDenied

from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess
from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess, SystemJobTemplateAccess
from awx.main.models import (
Job,
JobLaunchConfig,
Expand Down Expand Up @@ -350,3 +350,21 @@ def test_can_use_minor(self, rando):

assert access.can_use(config)
assert rando.can_access(JobLaunchConfig, 'use', config)


@pytest.mark.django_db
class TestSystemJobTemplateAccess:
def test_system_job_template_auditor(self, system_auditor, system_job_template):
access = SystemJobTemplateAccess(system_auditor)
assert access.can_read(system_job_template)
assert not access.can_start(system_job_template)

def test_system_job_template_rando(self, rando, system_job_template):
access = SystemJobTemplateAccess(rando)
assert not access.can_read(system_job_template)
assert not access.can_start(system_job_template)

def test_system_job_template_superuser(self, admin_user, system_job_template):
access = SystemJobTemplateAccess(admin_user)
assert access.can_read(system_job_template)
assert access.can_start(system_job_template)
13 changes: 1 addition & 12 deletions awx/main/tests/unit/test_access.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
from django.forms.models import model_to_dict
from rest_framework.exceptions import ParseError

from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, SystemJobTemplateAccess, vars_are_encrypted
from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, vars_are_encrypted

from awx.main.models import (
Credential,
Expand Down Expand Up @@ -239,14 +239,3 @@ def can_copy(self, obj):
foo = object()
foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy'])
assert foo_capabilities == {'edit': 'bar', 'copy': 'foo'}


def test_system_job_template_can_start(mocker):
user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False)
assert user.is_system_auditor
access = SystemJobTemplateAccess(user)
assert not access.can_start(None)

user.is_superuser = True
access = SystemJobTemplateAccess(user)
assert access.can_start(None)

0 comments on commit f5760b1

Please sign in to comment.