From a88f03b372c478529b1debc53565f7cd244c4113 Mon Sep 17 00:00:00 2001 From: Bill Nottingham Date: Mon, 6 Jul 2020 13:48:58 -0400 Subject: [PATCH] Reintroduce label filtering Labels are visible if you have a role on the org they are in, or on a job template they're attached to. --- awx/main/access.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/awx/main/access.py b/awx/main/access.py index 4705fb2cfc..d0f3bd6c96 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -2480,13 +2480,16 @@ class NotificationAccess(BaseAccess): class LabelAccess(BaseAccess): ''' - I can see/use a Label if I have permission to associated organization + I can see/use a Label if I have permission to associated organization, or to a JT that the label is on ''' model = Label prefetch_related = ('modified_by', 'created_by', 'organization',) def filtered_queryset(self): - return self.model.objects.all() + return self.model.objects.filter( + Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) | + Q(unifiedjobtemplate_labels__in=UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role')) + ) @check_superuser def can_add(self, data):