Prevent assigning credential to user of other org

Utilizes the `validate_role_assignment` callback from dab (see dab PR ansible#490) to prevent granting credential access to a user of another organization. This logic will work for role_user_assignments and role_team_assignments endpoints. Signed-off-by: Seth Foster <[email protected]>
fosterseth · Jun 25, 2024 · fea9e02 · fea9e02
1 parent 853af29
commit fea9e02
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
@@ -21,6 +21,7 @@
 from django.utils.encoding import force_str
 from django.utils.functional import cached_property
 from django.utils.timezone import now
+from django.contrib.auth.models import User
 
 # AWX
 from awx.api.versioning import reverse
@@ -41,6 +42,7 @@
     ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     ROLE_SINGLETON_SYSTEM_AUDITOR,
 )
+from awx.main.models import Team
 from awx.main.utils import encrypt_field
 from . import injectors as builtin_injectors
 
@@ -315,6 +317,15 @@ def _get_dynamic_input(self, field_name):
         else:
             raise ValueError('{} is not a dynamic input field'.format(field_name))
 
+    def validate_role_assignment(self, actor, role_definition):
+        if isinstance(actor, User):
+            if actor.is_superuser or self.organization in actor.organizations:
+                return
+        if isinstance(actor, Team):
+            if actor.organization == self.organization:
+                return
+        return f"You cannot grant credential access to a {actor._meta.object_name} not in the credentials' organization"
+
 
 class CredentialType(CommonModelNameNotUnique):
     """