def test_org_admin_view_all_teams(org_admin, enabled):
access = TeamAccess(org_admin)
other_org = Organization.objects.create(name='other-org')
other_team = Team.objects.create(name='other-team', organization=other_org)
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled
assert access.can_read(other_team) is enabled
def test_team_access_attach(rando, team, inventory):
# rando is admin of the team
team.admin_role.members.add(rando)
inventory.read_role.members.add(rando)
# team has read_role for the inventory
team.member_role.children.add(inventory.read_role)
access = TeamAccess(rando)
data = {'id': inventory.admin_role.pk}
assert not access.can_attach(team, inventory.admin_role, 'member_role.children', data, False)
def test_team_org_resource_role(ext_auth, team, user, rando):
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
u = user('member', False)
team.organization.admin_role.members.add(u)
access = TeamAccess(u)
assert access.can_attach(team, rando,
'member_role.members') == ext_auth
team.member_role.members.add(rando)
assert access.can_unattach(team, rando,
'member_role.members') == ext_auth
def test_team_org_resource_role(ext_auth, organization, rando, org_admin, team):
with mock.patch('awx.main.access.settings') as settings_mock:
settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
assert [
# use via /api/v2/teams/N/roles/
TeamAccess(org_admin).can_attach(team, organization.workflow_admin_role, 'roles'),
# use via /api/v2/roles/teams/
RoleAccess(org_admin).can_attach(organization.workflow_admin_role, team, 'member_role.parents')
] == [True for i in range(2)]
assert [
# use via /api/v2/teams/N/roles/
TeamAccess(org_admin).can_unattach(team, organization.workflow_admin_role, 'roles'),
# use via /api/v2/roles/teams/
RoleAccess(org_admin).can_unattach(organization.workflow_admin_role, team, 'member_role.parents')
] == [True for i in range(2)]
def test_team_attach_unattach(team, user):
u = user('member', False)
access = TeamAccess(u)
team.member_role.members.add(u)
assert not access.can_attach(team, team.member_role, 'member_role.children', None)
assert not access.can_unattach(team, team.member_role, 'member_role.children')
team.admin_role.members.add(u)
assert access.can_attach(team, team.member_role, 'member_role.children', None)
assert access.can_unattach(team, team.member_role, 'member_role.children')
u2 = user('non-member', False)
access = TeamAccess(u2)
assert not access.can_attach(team, team.member_role, 'member_role.children', None)
assert not access.can_unattach(team, team.member_role, 'member_role.chidlren')
def test_team_access_superuser(team, user):
team.member_role.members.add(user('member', False))
access = TeamAccess(user('admin', True))
assert access.can_add(None)
assert access.can_change(team, None)
assert access.can_delete(team)
t = access.get_queryset()[0]
assert len(t.member_role.members.all()) == 1
assert len(t.organization.admin_role.members.all()) == 0
def test_team_access_member(organization, team, user):
u = user('member', False)
team.member_role.members.add(u)
team.organization = organization
team.save()
access = TeamAccess(u)
assert not access.can_add({'organization': organization.pk})
assert not access.can_change(team, None)
assert not access.can_delete(team)
t = access.get_queryset()[0]
assert len(t.member_role.members.all()) == 1
assert len(t.organization.admin_role.members.all()) == 0
def test_team_list_no_duplicate_entries(rando, organization, team):
organization.member_role.members.add(rando)
team.read_role.members.add(rando)
assert list(TeamAccess(rando).get_queryset()) == [team]
def test_team_member_read(rando, organization, team):
assert team.organization == organization
organization.member_role.members.add(rando)
assert TeamAccess(rando).can_read(team)
assert team in TeamAccess(rando).get_queryset()