Skip to content

Commit

Permalink
Fixes #36273 - Use proper permission for editing a variable
Browse files Browse the repository at this point in the history 
Add LookupValue permissions to allow editing of Ansible variables,
for non-admin users.

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
  • Loading branch information
@pmoravec @nofaralfasi
pmoravec authored and nofaralfasi committed Jun 25, 2023
1 parent a85825f commit c6850cd
Show file tree
Hide file tree
Showing 4 changed files with 15 additions and 8 deletions.
2 changes: 1 addition & 1 deletion app/controllers/api/v2/ansible_override_values_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ class AnsibleOverrideValuesController < ::Api::V2::BaseController
param_group :ansible_override_value, :as => :create

def create
@ansible_variable = AnsibleVariable.authorized(:edit_external_variables).
@ansible_variable = AnsibleVariable.authorized(:edit_ansible_variables).
find_by(:id => params[:ansible_variable_id].to_i)
@override_value = @ansible_variable.lookup_values.create!(lookup_value_params['override_value'])
@ansible_variable.update_attribute(:override, true)
Expand Down
2 changes: 1 addition & 1 deletion app/models/ansible_variable.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ def self.humanize_class_name(options = nil)
end

def editable_by_user?
AnsibleVariable.authorized(:edit_external_parameters).
AnsibleVariable.authorized(:edit_ansible_variables).
where(:id => id).exists?
end
end
2 changes: 1 addition & 1 deletion app/views/ansible_variables/index.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
icon_text((variable.override ? "flag": ""), variable.key.to_s, :kind => 'fa', :title => _('Overriden')),
hash_for_edit_ansible_variable_path(:id => variable).
merge(:auth_object => variable,
:permission => 'edit_external_parameters',
:permission => 'edit_ansible_variables',
:authorizer => authorizer)
) %></td>
<td class="ellipsis"><%= link_to_if_authorized(
Expand Down
17 changes: 12 additions & 5 deletions lib/foreman_ansible/register.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,12 +63,12 @@
' configured interval'), :cfgmgmt => 'Ansible'),
default: false,
full_name: format(N_('%{cfgmgmt} out of sync disabled'), :cfgmgmt => 'Ansible')
setting 'ansible_inventory_template',
type: :string,
description: N_('Foreman will use this template to schedule the report '\
setting 'ansible_inventory_template',
type: :string,
description: N_('Foreman will use this template to schedule the report '\
'with Ansible inventory'),
default: 'Ansible - Ansible Inventory',
full_name: N_('Default Ansible inventory report template')
default: 'Ansible - Ansible Inventory',
full_name: N_('Default Ansible inventory report template')
setting 'ansible_roles_to_ignore',
type: :array,
description: N_('Those roles will be excluded when importing roles from smart proxy, '\
Expand Down Expand Up @@ -137,6 +137,12 @@
:'api/v2/ansible_variables' => [:create]
},
:resource_type => 'AnsibleVariable'
permission :view_lookup_values,
{ :lookup_values => [:index] },
:resource_type => 'LookupValue'
permission :create_lookup_values,
{ :lookup_values => [:index] },
:resource_type => 'LookupValue'
permission :import_ansible_variables,
{
:ansible_variables => [:import, :confirm_import],
Expand Down Expand Up @@ -169,6 +175,7 @@
:create_template_invocations, :view_smart_proxies, # ...
:view_ansible_roles, :destroy_ansible_roles,
:import_ansible_roles, :view_ansible_variables,
:view_lookup_values, :create_lookup_values,
:create_ansible_variables, :import_ansible_variables,
:edit_ansible_variables, :destroy_ansible_variables, :import_ansible_playbooks]

Expand Down

0 comments on commit c6850cd

Please sign in to comment.