Fix 500 error when ordinary user viewed system JTs

ansible · Aug 24, 2024 · fa7a05f · fa7a05f
1 parent 7ed0eee
commit fa7a05f
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 13 deletions.
diff --git a/awx/main/access.py b/awx/main/access.py
@@ -1843,6 +1843,11 @@ class SystemJobTemplateAccess(BaseAccess):
 
  model = SystemJobTemplate
 
+ def filtered_queryset(self):
+ if self.user.is_superuser or self.user.is_system_auditor:
+ return self.model.objects.all()
+ return self.model.objects.none()
+
  @check_superuser
  def can_start(self, obj, validate_license=True):
  '''Only a superuser can start a job from a SystemJobTemplate'''

diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py
@@ -2,7 +2,7 @@
 
 from rest_framework.exceptions import PermissionDenied
 
-from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess
+from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess, SystemJobTemplateAccess
 from awx.main.models import (
  Job,
  JobLaunchConfig,
@@ -350,3 +350,21 @@ def test_can_use_minor(self, rando):
 
  assert access.can_use(config)
  assert rando.can_access(JobLaunchConfig, 'use', config)
+
+
+@pytest.mark.django_db
+class TestSystemJobTemplateAccess:
+ def test_system_job_template_auditor(self, system_auditor, system_job_template):
+ access = SystemJobTemplateAccess(system_auditor)
+ assert access.can_read(system_job_template)
+ assert not access.can_start(system_job_template)
+
+ def test_system_job_template_rando(self, rando, system_job_template):
+ access = SystemJobTemplateAccess(rando)
+ assert not access.can_read(system_job_template)
+ assert not access.can_start(system_job_template)
+
+ def test_system_job_template_superuser(self, admin_user, system_job_template):
+ access = SystemJobTemplateAccess(admin_user)
+ assert access.can_read(system_job_template)
+ assert access.can_start(system_job_template)
diff --git a/awx/main/tests/unit/test_access.py b/awx/main/tests/unit/test_access.py
@@ -5,7 +5,7 @@
 from django.forms.models import model_to_dict
 from rest_framework.exceptions import ParseError
 
-from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, SystemJobTemplateAccess, vars_are_encrypted
+from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, vars_are_encrypted
 
 from awx.main.models import (
  Credential,
@@ -239,14 +239,3 @@ def can_copy(self, obj):
  foo = object()
  foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy'])
  assert foo_capabilities == {'edit': 'bar', 'copy': 'foo'}
-
-
-def test_system_job_template_can_start(mocker):
- user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False)
- assert user.is_system_auditor
- access = SystemJobTemplateAccess(user)
- assert not access.can_start(None)
-
- user.is_superuser = True
- access = SystemJobTemplateAccess(user)
- assert access.can_start(None)