Fix organization not showing all galaxy credentials for org admin #13676
Conversation
gamuniz
force-pushed
the
galaxy_credentials_view
branch
from
8d8e8ea
to
2f67140
Compare
awx/api/generics.py
Outdated
| @@ -528,6 +530,8 @@ def get_queryset(self): | |||
| self.check_parent_access(parent) | |||
| qs = self.request.user.get_queryset(self.model).distinct() | |||
| sublist_qs = self.get_sublist_queryset(parent) | |||
| if not self.filter_read_permission: | |||
| return sublist_qs.prefetch_related(*self.prefetched_items) | |||
There was a problem hiding this comment.
There's an alternative method of doing this above in this file, which can avoid the contract change of adding the prefetched_items property to the view
Lines 367 to 372 in 4f6c853
It would also be good to move the qs definition to after this return because in this code path it's never used.
There was a problem hiding this comment.
I mostly understood your comments and am going to try something like this:
if not self.filter_read_permission:
access_class = access_registry[self.model]
if access_class.prefetch_related:
return sublist_qs.prefetch_related(*access_class.prefetch_related)
if access_class.select_related:
return sublist_qs.select_related(*access_class.select_related)
I reordered the returns as it seems that prefetch_related if available returns with less DB queries even if it is a little more processing on the api
There was a problem hiding this comment.
Many other view should be able to get rid of the get_queryset override by using filter_read_permission = False, which should result in a glorious amount of code deletions.
If you want to formalize that followup, go ahead. If you don't, I never intend to leave a good chunk of unnecessary code un-deleted.
|
What is the final behavior? Admin org user should see all the credentials and instance groups? Can the org admin user delete the instance group to which they don't have access from the organization? |
@obaranov They should be able to see any credential/instance group associated to the org, but they should not be able to remove without the correct rbac permissions |
|
@gamuniz I checked, and api works fine. But with UI I have one small concern. User cannot edit org instance groups if at least one in the list has no user role.
The current user does not have access to the
The same happens when I try to add a new instance group to the list. |
AlanCoding
requested review from
TheRealHaoLiu,
john-westcott-iv and
AlexSCorey
| @@ -2716,6 +2707,7 @@ class JobTemplateInstanceGroupsList(SubListAttachDetachAPIView): | |||
| serializer_class = serializers.InstanceGroupSerializer | |||
| parent_model = models.JobTemplate | |||
| relationship = 'instance_groups' | |||
| filter_read_permission = False | |||
There was a problem hiding this comment.
Are there any other items we would want to apply this to? i.e. Notifications, whatever else?
There was a problem hiding this comment.
I would like to add it liberally to remove a lot of the queries that do identical lookups. That was part of the discussion we had last week and came to no conclusion.
There was a problem hiding this comment.
Yes, there's a performance argument for using this, if possible. However, we do have a lot of views that are reverse relationships. Even if a JT should list all of its credentials, that doesn't mean a credential should list all the JTs it is used in.
There was a problem hiding this comment.
@john-westcott-iv @AlanCoding if you would like me to add this to other places in the api just call it out, otherwise I'm okay with just the org endpoints and the job template credentials endpoint for now
There was a problem hiding this comment.
I'm good with this as a start. We can add other pieces as needed.
|
@obaranov can we merge this guy? |
…sible#13676) (ansible#6362) * Fix organization not showing all galaxy credentials for org admin * Add basic test to ensure counts * refactored approach to allow removal of redundant code * Allow configurable prefetch_related * implicitly get related fields * Removed extra queryset code
SUMMARY
Organizations were not properly showing all the associated galaxy credentials for Organization admins. They should be visible even if the credential cannot be accessed by an Org admin.
ISSUE TYPE
COMPONENT NAME
AWX VERSION
ADDITIONAL INFORMATION
Steps to reproduce:
Admin user:
Org admin:
Org Admin with fix: