-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix organization not showing all galaxy credentials for org admin #13676
Conversation
8d8e8ea
to
2f67140
Compare
awx/api/generics.py
Outdated
@@ -528,6 +530,8 @@ def get_queryset(self): | |||
self.check_parent_access(parent) | |||
qs = self.request.user.get_queryset(self.model).distinct() | |||
sublist_qs = self.get_sublist_queryset(parent) | |||
if not self.filter_read_permission: | |||
return sublist_qs.prefetch_related(*self.prefetched_items) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's an alternative method of doing this above in this file, which can avoid the contract change of adding the prefetched_items
property to the view
Lines 367 to 372 in 4f6c853
if self.model in access_registry: | |
access_class = access_registry[self.model] | |
if access_class.select_related: | |
qs = qs.select_related(*access_class.select_related) | |
if access_class.prefetch_related: | |
qs = qs.prefetch_related(*access_class.prefetch_related) |
It would also be good to move the qs
definition to after this return
because in this code path it's never used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mostly understood your comments and am going to try something like this:
if not self.filter_read_permission:
access_class = access_registry[self.model]
if access_class.prefetch_related:
return sublist_qs.prefetch_related(*access_class.prefetch_related)
if access_class.select_related:
return sublist_qs.select_related(*access_class.select_related)
I reordered the returns as it seems that prefetch_related if available returns with less DB queries even if it is a little more processing on the api
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Many other view should be able to get rid of the get_queryset
override by using filter_read_permission = False
, which should result in a glorious amount of code deletions.
If you want to formalize that followup, go ahead. If you don't, I never intend to leave a good chunk of unnecessary code un-deleted.
What is the final behavior? Admin org user should see all the credentials and instance groups? Can the org admin user delete the instance group to which they don't have access from the organization? |
@obaranov They should be able to see any credential/instance group associated to the org, but they should not be able to remove without the correct rbac permissions |
@gamuniz I checked, and api works fine. But with UI I have one small concern. User cannot edit org instance groups if at least one in the list has no user role. The current user does not have access to the The same happens when I try to add a new instance group to the list. |
@@ -2716,6 +2707,7 @@ class JobTemplateInstanceGroupsList(SubListAttachDetachAPIView): | |||
serializer_class = serializers.InstanceGroupSerializer | |||
parent_model = models.JobTemplate | |||
relationship = 'instance_groups' | |||
filter_read_permission = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any other items we would want to apply this to? i.e. Notifications, whatever else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to add it liberally to remove a lot of the queries that do identical lookups. That was part of the discussion we had last week and came to no conclusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, there's a performance argument for using this, if possible. However, we do have a lot of views that are reverse relationships. Even if a JT should list all of its credentials, that doesn't mean a credential should list all the JTs it is used in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@john-westcott-iv @AlanCoding if you would like me to add this to other places in the api just call it out, otherwise I'm okay with just the org endpoints and the job template credentials endpoint for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm good with this as a start. We can add other pieces as needed.
@obaranov can we merge this guy? |
…sible#13676) (ansible#6362) * Fix organization not showing all galaxy credentials for org admin * Add basic test to ensure counts * refactored approach to allow removal of redundant code * Allow configurable prefetch_related * implicitly get related fields * Removed extra queryset code
SUMMARY
Organizations were not properly showing all the associated galaxy credentials for Organization admins. They should be visible even if the credential cannot be accessed by an Org admin.
ISSUE TYPE
COMPONENT NAME
AWX VERSION
ADDITIONAL INFORMATION
Steps to reproduce:
Admin user:
Org admin:
Org Admin with fix: