Don't let Org Admins promote themselves to System Admins

Nor System Auditor
2026-04-23 00:11:48 -05:00 · 2016-05-18 16:02:40 -04:00
parent 390ac656fa
commit d79d8cbfba
1 changed files with 18 additions and 10 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1248,17 +1248,25 @@ class UserDetail(RetrieveUpdateDestroyAPIView):
        obj = self.get_object()
        can_change = request.user.can_access(User, 'change', obj, request.data)
        can_admin = request.user.can_access(User, 'admin', obj, request.data)
        su_only_edit_fields = ('is_superuser', 'is_system_auditor')
        admin_only_edit_fields = ('last_name', 'first_name', 'username', 'is_active')
        fields_to_check = ()
        if not request.user.is_superuser:
            fields_to_check += su_only_edit_fields
        if can_change and not can_admin:
-            admin_only_edit_fields = ('last_name', 'first_name', 'username',
+            fields_to_check += admin_only_edit_fields
-                                      'is_active', 'is_superuser')
+
-            changed = {}
+        bad_changes = {}
-            for field in admin_only_edit_fields:
+        for field in fields_to_check:
-                left = getattr(obj, field, None)
+            left = getattr(obj, field, None)
-                right = request.data.get(field, None)
+            right = request.data.get(field, None)
-                if left is not None and right is not None and left != right:
+            if left is not None and right is not None and left != right:
-                    changed[field] = (left, right)
+                bad_changes[field] = (left, right)
-            if changed:
+        if bad_changes:
-                raise PermissionDenied('Cannot change %s.' % ', '.join(changed.keys()))
+            raise PermissionDenied('Cannot change %s.' % ', '.join(bad_changes.keys()))
    def destroy(self, request, *args, **kwargs):
        obj = self.get_object()