Fixes #36273 - Use proper permission for editing Ansible variable

Add LookupValue permissions to allow editing of Ansible variables, for non-admin users. Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
theforeman · Aug 27, 2023 · 8dfedc2 · 8dfedc2
1 parent b5c3e2c
commit 8dfedc2
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 4 deletions.
diff --git a/app/controllers/api/v2/ansible_override_values_controller.rb b/app/controllers/api/v2/ansible_override_values_controller.rb
@@ -24,7 +24,7 @@ class AnsibleOverrideValuesController < ::Api::V2::BaseController
       param_group :ansible_override_value, :as => :create
 
       def create
-        @ansible_variable = AnsibleVariable.authorized(:edit_external_variables).
+        @ansible_variable = AnsibleVariable.authorized(:edit_ansible_variables).
                             find_by(:id => params[:ansible_variable_id].to_i)
         @override_value = @ansible_variable.lookup_values.create!(lookup_value_params['override_value'])
         @ansible_variable.update_attribute(:override, true)

diff --git a/app/models/ansible_variable.rb b/app/models/ansible_variable.rb
@@ -24,7 +24,7 @@ def self.humanize_class_name(options = nil)
   end
 
   def editable_by_user?
-    AnsibleVariable.authorized(:edit_external_parameters).
+    AnsibleVariable.authorized(:edit_ansible_variables).
       where(:id => id).exists?
   end
 end
diff --git a/app/views/ansible_variables/index.html.erb b/app/views/ansible_variables/index.html.erb
@@ -22,7 +22,7 @@
             icon_text((variable.override ? "flag": ""), variable.key.to_s, :kind => 'fa', :title => _('Overriden')),
             hash_for_edit_ansible_variable_path(:id => variable).
             merge(:auth_object => variable,
-                  :permission => 'edit_external_parameters',
+                  :permission => 'edit_ansible_variables',
                   :authorizer => authorizer)
         ) %></td>
         <td class="ellipsis"><%= link_to_if_authorized(

diff --git a/lib/foreman_ansible/register.rb b/lib/foreman_ansible/register.rb
@@ -167,7 +167,8 @@
         :create_job_invocations, :view_job_templates,      # to allow the play_roles
         :create_template_invocations, :view_smart_proxies, # ...
         :view_ansible_roles, :destroy_ansible_roles,
-        :import_ansible_roles, :view_ansible_variables,
+        :import_ansible_roles, :view_ansible_variables, :view_lookup_values,
+        :create_lookup_values, :edit_lookup_values, :destroy_lookup_values,
         :create_ansible_variables, :import_ansible_variables,
         :edit_ansible_variables, :destroy_ansible_variables, :import_ansible_playbooks]