prevent tower group delete and update

* related to https://github.com/ansible/ansible-tower/issues/7931 * The Tower Instance group is special. It should always exist, so prevent any delete to it. * Only allow super users to associate/disassociate instances the 'tower' instance group. * Do not allow fields of tower instance group to be changed.
2026-04-26 01:41:48 -05:00 · 2018-03-12 16:44:06 -04:00
parent 2640ef8b1c
commit 1f7506e982
3 changed files with 36 additions and 3 deletions
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -17,7 +17,7 @@ logger = logging.getLogger('awx.api.permissions')

 __all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission',
           'TaskPermission', 'ProjectUpdatePermission', 'InventoryInventorySourcesUpdatePermission',
-           'UserPermission', 'IsSuperUser']
+           'UserPermission', 'IsSuperUser', 'InstanceGroupTowerPermission',]


 class ModelAccessPermission(permissions.BasePermission):
@@ -227,3 +227,12 @@ class IsSuperUser(permissions.BasePermission):

    def has_permission(self, request, view):
        return request.user and request.user.is_superuser
+
+
+class InstanceGroupTowerPermission(ModelAccessPermission):
+    def has_object_permission(self, request, view, obj):
+        if request.method not in permissions.SAFE_METHODS:
+            if obj.name == "tower":
+                return False
+        return super(InstanceGroupTowerPermission, self).has_object_permission(request, view, obj)
+