Allow The AccessPolicy.permissions_assignment to be null.

The ``AccessPolicy.permissions_assignment`` can now be null, which some viewset endpoints may require. closes #7448
pulp · Sep 3, 2020 · a26205e · a26205e
1 parent 16caab7
commit a26205e
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 5 deletions.
diff --git a/CHANGES/7448.bugfix b/CHANGES/7448.bugfix
@@ -0,0 +1,2 @@
+The ``AccessPolicy.permissions_assignment`` can now be null, which some viewset endpoints may
+require.
diff --git a/CHANGES/plugin_api/7448.bugfix b/CHANGES/plugin_api/7448.bugfix
@@ -0,0 +1,2 @@
+The ``AccessPolicy.permissions_assignment`` can now be null, which some viewset endpoints may
+require.
diff --git a/docs/plugins/plugin-writer/concepts/rbac/adding_automatic_permissions.rst b/docs/plugins/plugin-writer/concepts/rbac/adding_automatic_permissions.rst
@@ -7,9 +7,9 @@ When creating new objects in either viewsets or tasks it's important to have the
 It is important that the permissions new objects receive work with the AccessPolicy so that newly
 created objects can be authorized by the AccessPolicy as expected. The AccessPolicy statements are
 user-configurable and so the permissions to be created for new objects are too. Similar to the
-requirements for the AccessPolicy ``statements``, plugin writers are expected to define and ship a
-default behavior for permissions on new objects, and then users can modify them as needed after
-migrations are run.
+requirements for the AccessPolicy ``statements``, plugin writers can define and ship a default
+behavior for permissions on new objects, and then users can modify them as needed after migrations
+are run.
 
 
 .. _defining_new_object_permission_behaviors:
@@ -22,6 +22,10 @@ to be run when new objects are created. These do not run automatically; your mod
 ``pulpcore.plugin.models.AutoAddObjPermsMixin`` on the model as described in the
 :ref:`enabling_new_object_permission_creation` section.
 
+The ``AccessPolicy.permissions_assignment`` attribute is optional because not all AccessPolicy
+objects create objects. If no objects are created by an endpoint, there does not need to be a
+``permissions_assignment`` attribute.
+
 The most common auto-assignment of permissions is to the creator of an object themselves. Here is an
 example assigning the ``["pulpcore.view_task", "pulpcore.change_task", "pulpcore.delete_task"]``
 permissions to the creator of an object:

diff --git a/pulpcore/app/migrations/0045_auto_20200902_1616.py b/pulpcore/app/migrations/0045_auto_20200902_1616.py
@@ -0,0 +1,19 @@
+# Generated by Django 2.2.15 on 2020-09-02 16:16
+
+import django.contrib.postgres.fields.jsonb
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0044_temp_file_artifact_field'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='accesspolicy',
+            name='permissions_assignment',
+            field=django.contrib.postgres.fields.jsonb.JSONField(null=True),
+        ),
+    ]
diff --git a/pulpcore/app/models/access_policy.py b/pulpcore/app/models/access_policy.py
@@ -20,14 +20,15 @@ class AccessPolicy(BaseModel):
 
         permissions_assignment (JSONField): A list of dictionaries identifying callables on the
             ``pulpcore.plugin.access_policy.AccessPolicyFromDB`` which add user or group permissions
-            for newly created objects.
+            for newly created objects. This is a nullable field due to not all endpoints creating
+            objects.
         statements (JSONField): A list of ``drf-access-policy`` statements.
         viewset_name (models.CharField): The name of the viewset this instance controls
             authorization for.
 
     """
 
-    permissions_assignment = JSONField()
+    permissions_assignment = JSONField(null=True)
     statements = JSONField()
     viewset_name = models.CharField(max_length=128, unique=True)