Skip to content

Commit 1e561d6

Browse files
AlanCodingAlanCoding
committed
Write out permissions for new views
1 parent c2adafb commit 1e561d6

File tree

2 files changed

+36
-0
lines changed

2 files changed

+36
-0
lines changed

ansible_base/rbac/service_api/views.py

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,9 @@
55
from rest_framework.viewsets import GenericViewSet, mixins
66

77
from ansible_base.lib.utils.views.django_app_api import AnsibleBaseDjangoAppApiView
8+
from ansible_base.lib.utils.views.permissions import try_add_oauth2_scope_permission
89
from ansible_base.rest_filters.rest_framework import ansible_id_backend
10+
from ansible_base.resource_registry.views import HasResourceRegistryPermissions
911

1012
from ..models import DABContentType, DABPermission, RoleTeamAssignment, RoleUserAssignment
1113
from . import serializers as service_serializers
@@ -52,6 +54,11 @@ class ServiceRoleUserAssignmentViewSet(
5254
ansible_id_backend.UserAnsibleIdAliasFilterBackend,
5355
ansible_id_backend.RoleAssignmentFilterBackend,
5456
]
57+
permission_classes = try_add_oauth2_scope_permission(
58+
[
59+
HasResourceRegistryPermissions,
60+
]
61+
)
5562

5663
def remote_secondary_sync_assignment(self, assignment, from_service=None):
5764
"""To allow service-specific sync when getting assignment from /service-index/ endpoint
@@ -121,3 +128,8 @@ class ServiceRoleTeamAssignmentViewSet(
121128
ansible_id_backend.TeamAnsibleIdAliasFilterBackend,
122129
ansible_id_backend.RoleAssignmentFilterBackend,
123130
]
131+
permission_classes = try_add_oauth2_scope_permission(
132+
[
133+
HasResourceRegistryPermissions,
134+
]
135+
)

test_app/tests/rbac/remote/test_service_api.py

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,3 +184,27 @@ def test_unassign_endpoint(rando, org_inv_rd, inventory, admin_api_client):
184184
response = admin_api_client.post(url, data)
185185
assert response.status_code == 200, response.data
186186
assert not rando.has_obj_perm(inventory, 'change')
187+
188+
189+
@pytest.mark.django_db
190+
@pytest.mark.parametrize(
191+
'reverse_name,normal_case,unauth_case',
192+
[
193+
('dabcontenttype-list', 200, 401), # could change unauthenticated case, depends on need
194+
('dabpermission-list', 200, 401),
195+
('resource-list', 403, 401),
196+
('serviceuserassignment-list', 403, 401),
197+
('serviceteamassignment-list', 403, 401)
198+
]
199+
)
200+
def test_service_api_permissions(reverse_name, normal_case, unauth_case, admin_api_client, user_api_client, unauthenticated_api_client):
201+
url = get_relative_url(reverse_name)
202+
203+
admin_response = admin_api_client.get(url)
204+
assert admin_response.status_code == 200, admin_response.data
205+
206+
normal_response = user_api_client.get(url)
207+
assert normal_response.status_code == normal_case, normal_response.data
208+
209+
unauth_response = unauthenticated_api_client.get(url)
210+
assert unauth_response.status_code == unauth_case, unauth_response.data

0 commit comments

Comments
 (0)