def test_ig_associability(organization, default_instance_group, admin,
system_auditor, org_admin, org_member,
job_template_factory):
admin_access = OrganizationAccess(admin)
auditor_access = OrganizationAccess(system_auditor)
oadmin_access = OrganizationAccess(org_admin)
omember_access = OrganizationAccess(org_member)
assert admin_access.can_attach(organization, default_instance_group,
'instance_groups', None)
assert not oadmin_access.can_attach(organization, default_instance_group,
'instance_groups', None)
assert not auditor_access.can_attach(organization, default_instance_group,
'instance_groups', None)
assert not omember_access.can_attach(organization, default_instance_group,
'instance_groups', None)
organization.instance_groups.add(default_instance_group)
assert admin_access.can_unattach(organization, default_instance_group,
'instance_groups', None)
assert not oadmin_access.can_unattach(organization, default_instance_group,
'instance_groups', None)
assert not auditor_access.can_unattach(
organization, default_instance_group, 'instance_groups', None)
assert not omember_access.can_unattach(
organization, default_instance_group, 'instance_groups', None)
objects = job_template_factory('jt',
organization=organization,
project='p',
inventory='i',
credential='c')
admin_access = InventoryAccess(admin)
auditor_access = InventoryAccess(system_auditor)
oadmin_access = InventoryAccess(org_admin)
omember_access = InventoryAccess(org_member)
assert admin_access.can_attach(objects.inventory, default_instance_group,
'instance_groups', None)
assert oadmin_access.can_attach(objects.inventory, default_instance_group,
'instance_groups', None)
assert not auditor_access.can_attach(
objects.inventory, default_instance_group, 'instance_groups', None)
assert not omember_access.can_attach(
objects.inventory, default_instance_group, 'instance_groups', None)
admin_access = JobTemplateAccess(admin)
auditor_access = JobTemplateAccess(system_auditor)
oadmin_access = JobTemplateAccess(org_admin)
omember_access = JobTemplateAccess(org_member)
assert admin_access.can_attach(objects.job_template,
default_instance_group, 'instance_groups',
None)
assert oadmin_access.can_attach(objects.job_template,
default_instance_group, 'instance_groups',
None)
assert not auditor_access.can_attach(
objects.job_template, default_instance_group, 'instance_groups', None)
assert not omember_access.can_attach(
objects.job_template, default_instance_group, 'instance_groups', None)
def test_access_auditor(organization, inventory, user):
u = user('admin', False)
inventory.organization = organization
organization.auditor_role.members.add(u)
access = InventoryAccess(u)
assert access.can_read(inventory)
assert not access.can_add(None)
assert not access.can_add({'organization': organization.id})
assert not access.can_change(inventory, None)
assert not access.can_change(inventory, {'organization': organization.id})
assert not access.can_admin(inventory, None)
assert not access.can_admin(inventory, {'organization': organization.id})
assert not access.can_delete(inventory)
assert not access.can_run_ad_hoc_commands(inventory)
def test_host_filter_edit(self, smart_inventory, rando, org_admin):
assert InventoryAccess(org_admin).can_admin(
smart_inventory, {'host_filter': 'search=foo'})
smart_inventory.admin_role.members.add(rando)
assert not InventoryAccess(rando).can_admin(
smart_inventory, {'host_filter': 'search=foo'})
def test_access_admin(role, organization, inventory, user):
a = user('admin', False)
inventory.organization = organization
role = getattr(organization, role)
role.members.add(a)
access = InventoryAccess(a)
assert access.can_read(inventory)
assert access.can_add(None)
assert access.can_add({'organization': organization.id})
assert access.can_change(inventory, None)
assert access.can_change(inventory, {'organization': organization.id})
assert access.can_admin(inventory, None)
assert access.can_admin(inventory, {'organization': organization.id})
assert access.can_delete(inventory)
assert access.can_run_ad_hoc_commands(inventory)
def test_running_job_protection(inventory, admin_user):
AdHocCommand.objects.create(inventory=inventory, status='running')
access = InventoryAccess(admin_user)
with pytest.raises(ActiveJobConflict):
access.can_delete(inventory)
