RBAC and settings reset

* Initial super-user only rbac with notes for future user-settings support * Clearing individual and all settings back to defaults
2026-03-20 07:43:35 -05:00 · 2015-12-15 12:12:54 -05:00
parent 273181e894
commit 7867a58c00
2 changed files with 45 additions and 4 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2970,8 +2970,12 @@ class SettingsList(ListCreateAPIView):
    filter_backends = ()

    def get_queryset(self):
+        # TODO: docs
+        if not request.user.is_superuser:
+            # NOTE: Shortcutting the rbac class due to the merging of the settings manifest and the database
+            #       we'll need to extend this more in the future when we have user settings
+            return []
        SettingsTuple = namedtuple('Settings', ['key', 'description', 'category', 'value', 'value_type', 'user'])
-        # TODO: Filter by what the user can see
        all_defined_settings = {s.key: SettingsTuple(s.key,
                                                     s.description,
                                                     s.category,
@@ -2993,15 +2997,23 @@ class SettingsList(ListCreateAPIView):
                                                     None))
        return settings_actual

+    def delete(self, request, *args, **kwargs):
+        if not request.user.can_access(self.model, 'delete', None):
+            raise PermissionDenied()
+        TowerSettings.objects.all().delete()
+        return Response()
+
 class SettingsReset(APIView):

    view_name = "Reset a settings value"
    new_in_300 = True

    def post(self, request):
-        # TODO: RBAC
-        setting_key = request.DATA.get('key', None)
-        if setting_key is not None:
+        # NOTE: Extend more with user settings
+        if not request.user.can_access(TowerSettings, 'delete', None):
+            raise PermissionDenied()
+        settings_key = request.DATA.get('key', None)
+        if settings_key is not None:
            TowerSettings.objects.filter(key=settings_key).delete()
        return Response(status=status.HTTP_204_NO_CONTENT)

--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1563,6 +1563,10 @@ class ActivityStreamAccess(BaseAccess):
        ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
        qs.filter(ad_hoc_command__in=ad_hoc_command_qs)

+        # TowerSettings Filter
+        settings_qs = self.user.get_queryset(TowerSettings)
+        qs.filter(tower_settings__in=settings_qs)
+
        # organization_qs = self.user.get_queryset(Organization)
        # user_qs = self.user.get_queryset(User)
        # inventory_qs = self.user.get_queryset(Inventory)
@@ -1633,6 +1637,30 @@ class CustomInventoryScriptAccess(BaseAccess):
            return True
        return False

+
+class TowerSettingsAccess(BaseAccess):
+    '''
+    - I can see settings when
+      - I am a super user
+    - I can edit settings when
+      - I am a super user
+    - I can clear settings when
+      - I am a super user
+    '''
+
+    model = TowerSettings
+
+    def get_queryset(self):
+        if self.user.is_superuser:
+            return self.model.objects.all()
+        return self.model.objects.none()
+
+    def can_change(self, obj, data):
+        return self.user.is_superuser
+
+    def can_delete(self, obj):
+        return self.user.is_superuser
+
 register_access(User, UserAccess)
 register_access(Organization, OrganizationAccess)
 register_access(Inventory, InventoryAccess)
@@ -1658,3 +1686,4 @@ register_access(UnifiedJobTemplate, UnifiedJobTemplateAccess)
 register_access(UnifiedJob, UnifiedJobAccess)
 register_access(ActivityStream, ActivityStreamAccess)
 register_access(CustomInventoryScript, CustomInventoryScriptAccess)
+register_access(TowerSettings, TowerSettingsAccess)