Job relaunch permissions made consistent with JT prompts

awx/main/tests/functional/test_rbac_job_start.py

@@ -2,11 +2,7 @@ import pytest
 
 from awx.main.models.inventory import Inventory
 from awx.main.models.credential import Credential
-from awx.main.models.jobs import JobTemplate
-
-@pytest.fixture
-def machine_credential():
-    return Credential.objects.create(name='machine-cred', kind='ssh', username='test_user', password='pas4word')
+from awx.main.models.jobs import JobTemplate, Job
 
 @pytest.mark.django_db
 @pytest.mark.job_permissions
@@ -45,3 +41,53 @@ def test_inventory_use_access(inventory, user):
     inventory.use_role.members.add(common_user)
 
     assert common_user.can_access(Inventory, 'use', inventory)
+
+@pytest.mark.django_db
+class TestJobRelaunchAccess:
+    @pytest.fixture
+    def jt_no_prompts(self, machine_credential, inventory):
+        return JobTemplate.objects.create(name='test-job_template', credential=machine_credential, inventory=inventory)
+
+    @pytest.fixture
+    def jt_with_prompts(self, jt_no_prompts):
+        jt_no_prompts.update(
+            ask_tags_on_launch=True, ask_variables_on_launch=True, ask_skip_tags_on_launch=True,
+            ask_limit_on_launch=True, ask_job_type_on_launch=True, ask_inventory_on_launch=True,
+            ask_credential_on_launch=True)
+        return jt_no_prompts
+
+    @pytest.fixture
+    def job_no_prompts(self, jt_no_prompts):
+        return jt_no_prompts.create_unified_job()
+
+    @pytest.fixture
+    def job_with_prompts(self, jt_with_prompts, organization):
+        new_cred = Credential.objects.create(name='new-cred', kind='ssh', username='test_user', password='pas4word')
+        new_inv = Inventory.objects.create(name='new-inv', organization=organization)
+        return jt_with_prompts.create_unified_job(credential=new_cred, inventory=new_inv)
+
+    def test_no_relaunch_without_prompted_fields_access(self, job_with_prompts, rando):
+        "Has JT execute_role but no use_role on inventory & credential - deny relaunch"
+        job_with_prompts.job_template.execute_role.members.add(rando)
+        assert not rando.can_access(Job, 'start', job_with_prompts)
+
+    def test_can_relaunch_with_prompted_fields_access(self, job_with_prompts, rando):
+        "Has use_role on the prompted inventory & credential - allow relaunch"
+        job_with_prompts.job_template.execute_role.members.add(rando)
+        job_with_prompts.credential.use_role.members.add(rando)
+        job_with_prompts.inventory.use_role.members.add(rando)
+        assert rando.can_access(Job, 'start', job_with_prompts)
+
+    def test_no_relaunch_after_limit_change(self, job_no_prompts, rando):
+        "State of the job contradicts the JT state - deny relaunch"
+        job_no_prompts.job_template.execute_role.members.add(rando)
+        job_no_prompts.limit = 'webservers'
+        job_no_prompts.save()
+        assert not rando.can_access(Job, 'start', job_no_prompts)
+
+    def test_can_relaunch_if_limit_was_prompt(self, job_with_prompts, rando):
+        "Job state differs from JT, but only on prompted fields - allow relaunch"
+        job_with_prompts.job_template.execute_role.members.add(rando)
+        job_with_prompts.limit = 'webservers'
+        job_with_prompts.save()
+        assert not rando.can_access(Job, 'start', job_with_prompts)