From fa7a05f05c1e34e84e4882e4fd0b0e64b503fbe3 Mon Sep 17 00:00:00 2001 From: Alan Rominger Date: Fri, 23 Aug 2024 23:13:21 -0400 Subject: [PATCH] Fix 500 error when ordinary user viewed system JTs --- awx/main/access.py | 5 +++++ awx/main/tests/functional/test_rbac_job.py | 20 +++++++++++++++++++- awx/main/tests/unit/test_access.py | 13 +------------ 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index b8a80c12d92e..3a217fe2afa4 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1843,6 +1843,11 @@ class SystemJobTemplateAccess(BaseAccess): model = SystemJobTemplate + def filtered_queryset(self): + if self.user.is_superuser or self.user.is_system_auditor: + return self.model.objects.all() + return self.model.objects.none() + @check_superuser def can_start(self, obj, validate_license=True): '''Only a superuser can start a job from a SystemJobTemplate''' diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py index ff5c6c25a255..dfc351a5d953 100644 --- a/awx/main/tests/functional/test_rbac_job.py +++ b/awx/main/tests/functional/test_rbac_job.py @@ -2,7 +2,7 @@ from rest_framework.exceptions import PermissionDenied -from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess +from awx.main.access import JobAccess, JobLaunchConfigAccess, AdHocCommandAccess, InventoryUpdateAccess, ProjectUpdateAccess, SystemJobTemplateAccess from awx.main.models import ( Job, JobLaunchConfig, @@ -350,3 +350,21 @@ def test_can_use_minor(self, rando): assert access.can_use(config) assert rando.can_access(JobLaunchConfig, 'use', config) + + +@pytest.mark.django_db +class TestSystemJobTemplateAccess: + def test_system_job_template_auditor(self, system_auditor, system_job_template): + access = SystemJobTemplateAccess(system_auditor) + assert access.can_read(system_job_template) + assert not access.can_start(system_job_template) + + def test_system_job_template_rando(self, rando, system_job_template): + access = SystemJobTemplateAccess(rando) + assert not access.can_read(system_job_template) + assert not access.can_start(system_job_template) + + def test_system_job_template_superuser(self, admin_user, system_job_template): + access = SystemJobTemplateAccess(admin_user) + assert access.can_read(system_job_template) + assert access.can_start(system_job_template) diff --git a/awx/main/tests/unit/test_access.py b/awx/main/tests/unit/test_access.py index 0059cb498400..08e1e66ab59a 100644 --- a/awx/main/tests/unit/test_access.py +++ b/awx/main/tests/unit/test_access.py @@ -5,7 +5,7 @@ from django.forms.models import model_to_dict from rest_framework.exceptions import ParseError -from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, SystemJobTemplateAccess, vars_are_encrypted +from awx.main.access import BaseAccess, check_superuser, JobTemplateAccess, WorkflowJobTemplateAccess, vars_are_encrypted from awx.main.models import ( Credential, @@ -239,14 +239,3 @@ def can_copy(self, obj): foo = object() foo_capabilities = foo_access.get_user_capabilities(foo, ['edit', 'copy']) assert foo_capabilities == {'edit': 'bar', 'copy': 'foo'} - - -def test_system_job_template_can_start(mocker): - user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False) - assert user.is_system_auditor - access = SystemJobTemplateAccess(user) - assert not access.can_start(None) - - user.is_superuser = True - access = SystemJobTemplateAccess(user) - assert access.can_start(None)