def test_org_admin_view_all_teams(org_admin, enabled): access = TeamAccess(org_admin) other_org = Organization.objects.create(name='other-org') other_team = Team.objects.create(name='other-team', organization=other_org) with mock.patch('awx.main.access.settings') as settings_mock: settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled assert access.can_read(other_team) is enabled
def test_team_access_attach(rando, team, inventory): # rando is admin of the team team.admin_role.members.add(rando) inventory.read_role.members.add(rando) # team has read_role for the inventory team.member_role.children.add(inventory.read_role) access = TeamAccess(rando) data = {'id': inventory.admin_role.pk} assert not access.can_attach(team, inventory.admin_role, 'member_role.children', data, False)
def test_team_org_resource_role(ext_auth, team, user, rando): with mock.patch('awx.main.access.settings') as settings_mock: settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth u = user('member', False) team.organization.admin_role.members.add(u) access = TeamAccess(u) assert access.can_attach(team, rando, 'member_role.members') == ext_auth team.member_role.members.add(rando) assert access.can_unattach(team, rando, 'member_role.members') == ext_auth
def test_team_org_resource_role(ext_auth, organization, rando, org_admin, team): with mock.patch('awx.main.access.settings') as settings_mock: settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth assert [ # use via /api/v2/teams/N/roles/ TeamAccess(org_admin).can_attach(team, organization.workflow_admin_role, 'roles'), # use via /api/v2/roles/teams/ RoleAccess(org_admin).can_attach(organization.workflow_admin_role, team, 'member_role.parents') ] == [True for i in range(2)] assert [ # use via /api/v2/teams/N/roles/ TeamAccess(org_admin).can_unattach(team, organization.workflow_admin_role, 'roles'), # use via /api/v2/roles/teams/ RoleAccess(org_admin).can_unattach(organization.workflow_admin_role, team, 'member_role.parents') ] == [True for i in range(2)]
def test_team_attach_unattach(team, user): u = user('member', False) access = TeamAccess(u) team.member_role.members.add(u) assert not access.can_attach(team, team.member_role, 'member_role.children', None) assert not access.can_unattach(team, team.member_role, 'member_role.children') team.admin_role.members.add(u) assert access.can_attach(team, team.member_role, 'member_role.children', None) assert access.can_unattach(team, team.member_role, 'member_role.children') u2 = user('non-member', False) access = TeamAccess(u2) assert not access.can_attach(team, team.member_role, 'member_role.children', None) assert not access.can_unattach(team, team.member_role, 'member_role.chidlren')
def test_team_access_superuser(team, user): team.member_role.members.add(user('member', False)) access = TeamAccess(user('admin', True)) assert access.can_add(None) assert access.can_change(team, None) assert access.can_delete(team) t = access.get_queryset()[0] assert len(t.member_role.members.all()) == 1 assert len(t.organization.admin_role.members.all()) == 0
def test_team_access_member(organization, team, user): u = user('member', False) team.member_role.members.add(u) team.organization = organization team.save() access = TeamAccess(u) assert not access.can_add({'organization': organization.pk}) assert not access.can_change(team, None) assert not access.can_delete(team) t = access.get_queryset()[0] assert len(t.member_role.members.all()) == 1 assert len(t.organization.admin_role.members.all()) == 0
def test_team_list_no_duplicate_entries(rando, organization, team): organization.member_role.members.add(rando) team.read_role.members.add(rando) assert list(TeamAccess(rando).get_queryset()) == [team]
def test_team_member_read(rando, organization, team): assert team.organization == organization organization.member_role.members.add(rando) assert TeamAccess(rando).can_read(team) assert team in TeamAccess(rando).get_queryset()