Add RolesMixin to task view set

[noissue]
pulp · Dec 9, 2021 · eff385d · eff385d
1 parent c1b2f39
commit eff385d
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 4 deletions.
diff --git a/pulpcore/app/migrations/0082_add_manage_roles_permissions.py b/pulpcore/app/migrations/0082_add_manage_roles_permissions.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.2.8 on 2021-10-21 10:58
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0081_reapplabel_group_permissions'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='task',
+            options={'permissions': [('manage_roles_task', 'Can manage role assignments on task')]},
+        ),
+    ]
diff --git a/pulpcore/app/models/task.py b/pulpcore/app/models/task.py
@@ -279,6 +279,9 @@ def set_failed(self, exc, tb):
 
     class Meta:
         indexes = [models.Index(fields=["pulp_created"])]
+        permissions = [
+            ("manage_roles_task", "Can manage role assignments on task"),
+        ]
 
 
 class TaskGroup(BaseModel):

diff --git a/pulpcore/app/viewsets/task.py b/pulpcore/app/viewsets/task.py
@@ -20,7 +20,7 @@
     WorkerSerializer,
 )
 from pulpcore.app.tasks import purge
-from pulpcore.app.viewsets import BaseFilterSet, NamedModelViewSet
+from pulpcore.app.viewsets import BaseFilterSet, NamedModelViewSet, RolesMixin
 from pulpcore.app.viewsets.base import DATETIME_FILTER_OPTIONS, NAME_FILTER_OPTIONS
 from pulpcore.app.viewsets.custom_filters import (
     HyperlinkRelatedFilter,
@@ -64,7 +64,11 @@ class Meta:
 
 
 class TaskViewSet(
-    NamedModelViewSet, mixins.RetrieveModelMixin, mixins.ListModelMixin, mixins.DestroyModelMixin
+    NamedModelViewSet,
+    mixins.RetrieveModelMixin,
+    mixins.ListModelMixin,
+    mixins.DestroyModelMixin,
+    RolesMixin,
 ):
     queryset = Task.objects.all()
     endpoint_name = "tasks"
@@ -79,7 +83,7 @@ class TaskViewSet(
         "statements": [
             {"action": ["list"], "principal": "authenticated", "effect": "allow"},
             {
-                "action": ["retrieve"],
+                "action": ["retrieve", "my_permissions"],
                 "principal": "authenticated",
                 "effect": "allow",
                 "condition": "has_model_or_obj_perms:core.view_task",
@@ -103,6 +107,12 @@ class TaskViewSet(
                 "principal": "authenticated",
                 "effect": "allow",
             },
+            {
+                "action": ["list_roles", "add_role", "remove_role"],
+                "principal": "authenticated",
+                "effect": "allow",
+                "condition": "has_model_or_obj_perms:core.manage_roles_task",
+            },
         ],
         "creation_hooks": [
             {
@@ -114,7 +124,12 @@ class TaskViewSet(
     LOCKED_ROLES = {
         "core.task_owner": {
             "description": "Allow all actions on a task.",
-            "permissions": ["core.view_task", "core.change_task", "core.delete_task"],
+            "permissions": [
+                "core.view_task",
+                "core.change_task",
+                "core.delete_task",
+                "core.manage_roles_task",
+            ],
         },
         "core.task_viewer": ["core.view_task"],
     }