put variable data permission in its own class

2026-04-24 00:41:48 -05:00 · 2019-05-08 13:43:13 -04:00
parent 70972f7ea1
commit 231abf865b
3 changed files with 30 additions and 9 deletions
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -15,7 +15,7 @@ from awx.main.utils import get_object_or_400

 logger = logging.getLogger('awx.api.permissions')

-__all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission',
+__all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission', 'VariableDataPermission',
           'TaskPermission', 'ProjectUpdatePermission', 'InventoryInventorySourcesUpdatePermission',
           'UserPermission', 'IsSuperUser', 'InstanceGroupTowerPermission',]

@@ -74,12 +74,8 @@ class ModelAccessPermission(permissions.BasePermission):
            # FIXME: For some reason this needs to return True
            # because it is first called with obj=None?
            return True
-        if getattr(view, 'is_variable_data', False):
-            return check_user_access(request.user, view.model, 'change', obj,
-                                     dict(variables=request.data))
-        else:
-            return check_user_access(request.user, view.model, 'change', obj,
-                                     request.data)
+        return check_user_access(request.user, view.model, 'change', obj,
+                                 request.data)

    def check_patch_permissions(self, request, view, obj=None):
        return self.check_put_permissions(request, view, obj)
@@ -163,6 +159,15 @@ class JobTemplateCallbackPermission(ModelAccessPermission):
            return True


+class VariableDataPermission(ModelAccessPermission):
+
+    def check_put_permissions(self, request, view, obj=None):
+        if not obj:
+            return True
+        return check_user_access(request.user, view.model, 'change', obj,
+                                 dict(variables=request.data))
+
+
 class TaskPermission(ModelAccessPermission):
    '''
    Permission checks used for API callbacks from running a task.
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -92,7 +92,7 @@ from awx.main.redact import UriCleaner
 from awx.api.permissions import (
    JobTemplateCallbackPermission, TaskPermission, ProjectUpdatePermission,
    InventoryInventorySourcesUpdatePermission, UserPermission,
-    InstanceGroupTowerPermission,
+    InstanceGroupTowerPermission, VariableDataPermission
 )
 from awx.api import renderers
 from awx.api import serializers
@@ -1948,7 +1948,7 @@ class BaseVariableData(RetrieveUpdateAPIView):

    parser_classes = api_settings.DEFAULT_PARSER_CLASSES + [YAMLParser]
    renderer_classes = api_settings.DEFAULT_RENDERER_CLASSES + [YAMLRenderer]
-    is_variable_data = True # Special flag for permissions check.
+    permission_classes = (VariableDataPermission,)


 class InventoryVariableData(BaseVariableData):