Merge remote-tracking branch 'origin/release_3.1.2' into devel

2026-04-05 23:51:48 -05:00 · 2017-03-21 10:39:16 -04:00
parent 1b392a8ad5 301a088922
commit a69dfced74
74 changed files with 872 additions and 258 deletions
--- a/awx/api/filters.py
+++ b/awx/api/filters.py
@@ -316,6 +316,8 @@ class OrderByBackend(BaseFilterBackend):
                    else:
                        order_by = (value,)
            if order_by:
+                order_by = self._strip_sensitive_model_fields(queryset.model, order_by)
+
                # Special handling of the type field for ordering. In this
                # case, we're not sorting exactly on the type field, but
                # given the limited number of views with multiple types,
@@ -338,3 +340,16 @@ class OrderByBackend(BaseFilterBackend):
        except FieldError as e:
            # Return a 400 for invalid field names.
            raise ParseError(*e.args)
+
+    def _strip_sensitive_model_fields(self, model, order_by):
+        for field_name in order_by:
+            # strip off the negation prefix `-` if it exists
+            _field_name = field_name.split('-')[-1]
+            try:
+                # if the field name is encrypted/sensitive, don't sort on it
+                if _field_name in getattr(model, 'PASSWORD_FIELDS', ()) or \
+                        getattr(model._meta.get_field(_field_name), '__prevent_search__', False):
+                    raise ParseError(_('cannot order by field %s') % _field_name)
+            except FieldDoesNotExist:
+                pass
+            yield field_name
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2678,7 +2678,8 @@ class JobTemplateCallback(GenericAPIView):

    def post(self, request, *args, **kwargs):
        extra_vars = None
-        if request.content_type == "application/json":
+        # Be careful here: content_type can look like '<content_type>; charset=blar'
+        if request.content_type.startswith("application/json"):
            extra_vars = request.data.get("extra_vars", None)
        # Permission class should have already validated host_config_key.
        job_template = self.get_object()
@@ -2727,14 +2728,14 @@ class JobTemplateCallback(GenericAPIView):
            return Response(data, status=status.HTTP_400_BAD_REQUEST)

        # Everything is fine; actually create the job.
+        kv = {"limit": limit, "launch_type": 'callback'}
+        if extra_vars is not None and job_template.ask_variables_on_launch:
+            kv['extra_vars'] = callback_filter_out_ansible_extra_vars(extra_vars)
        with transaction.atomic():
-            job = job_template.create_job(limit=limit, launch_type='callback')
+            job = job_template.create_job(**kv)

        # Send a signal to celery that the job should be started.
-        kv = {"inventory_sources_already_updated": inventory_sources_already_updated}
-        if extra_vars is not None:
-            kv['extra_vars'] = callback_filter_out_ansible_extra_vars(extra_vars)
-        result = job.signal_start(**kv)
+        result = job.signal_start(inventory_sources_already_updated=inventory_sources_already_updated)
        if not result:
            data = dict(msg=_('Error starting job!'))
            return Response(data, status=status.HTTP_400_BAD_REQUEST)
@@ -3665,7 +3666,7 @@ class AdHocCommandRelaunch(GenericAPIView):
        data = {}
        for field in ('job_type', 'inventory_id', 'limit', 'credential_id',
                      'module_name', 'module_args', 'forks', 'verbosity',
-                      'become_enabled'):
+                      'extra_vars', 'become_enabled'):
            if field.endswith('_id'):
                data[field[:-3]] = getattr(obj, field)
            else: