Merge pull request #2353 from AlanCoding/2226_user_roles_access

Fixes for role assignment permissions
2026-04-17 21:41:47 -05:00 · 2016-06-14 11:25:33 -04:00
parent 3c887768c1 9d86fb0a09
commit 0583a7c435
4 changed files with 118 additions and 5 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3769,22 +3769,27 @@ class RoleTeamsList(ListAPIView):
        return Team.objects.filter(member_role__children=role)

    def post(self, request, pk, *args, **kwargs):
-        # Forbid implicit role creation here
+        # Forbid implicit team creation here
        sub_id = request.data.get('id', None)
        if not sub_id:
-            data = dict(msg="Role 'id' field is missing.")
+            data = dict(msg="Team 'id' field is missing.")
            return Response(data, status=status.HTTP_400_BAD_REQUEST)
-        # XXX: Need to pull in can_attach and can_unattach kinda code from SubListCreateAttachDetachAPIView
+
        role = Role.objects.get(pk=self.kwargs['pk'])
        team = Team.objects.get(pk=sub_id)
+        action = 'attach'
+        if request.data.get('disassociate', None):
+            action = 'unattach'
+        if not request.user.can_access(self.parent_model, action, role, team,
+                                       self.relationship, request.data,
+                                       skip_sub_obj_read_check=False):
+            raise PermissionDenied()
        if request.data.get('disassociate', None):
            team.member_role.children.remove(role)
        else:
            team.member_role.children.add(role)
        return Response(status=status.HTTP_204_NO_CONTENT)

-    # XXX attach/detach needs to ensure we have the appropriate perms
-

 class RoleParentsList(SubListAPIView):