Skip to content

Commit 4d1381a

Browse files
fostersethfosterseth
authored
[AAP-53287] Add reverse sync to give_creator_permission (#832)
This is method that is not called from the viewset, where we would normally reverse sync an assigment to gateway. Thus, we need to explicitly attempt to reverse sync the resulting assignment. Signed-off-by: Seth Foster <[email protected]>
1 parent 7e3928a commit 4d1381a

File tree

2 files changed

+19
-1
lines changed

2 files changed

+19
-1
lines changed

ansible_base/rbac/models/role.py

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@
2121
from ansible_base.lib.utils.models import is_add_perm
2222
from ansible_base.rbac.permission_registry import permission_registry
2323
from ansible_base.rbac.prefetch import TypesPrefetch
24+
from ansible_base.rbac.sync import maybe_reverse_sync_assignment
2425
from ansible_base.rbac.validators import validate_assignment, validate_permissions_for_model
2526
from ansible_base.resource_registry.fields import AnsibleResourceField
2627

@@ -96,6 +97,7 @@ def give_creator_permissions(self, user, obj) -> Optional['RoleUserAssignment']:
9697

9798
has_permissions = set(RoleEvaluation.get_permissions(user, obj))
9899
has_permissions.update(user.singleton_permissions())
100+
99101
if set(needed_perms) - set(has_permissions):
100102
kwargs = {'permissions': needed_perms, 'name': settings.ANSIBLE_BASE_ROLE_CREATOR_NAME.format(obj=obj, cls=type(obj))}
101103
defaults = {'content_type': DABContentType.objects.get_for_model(obj)}
@@ -106,7 +108,10 @@ def give_creator_permissions(self, user, obj) -> Optional['RoleUserAssignment']:
106108
defaults['managed'] = True
107109
rd, _ = self.get_or_create(defaults=defaults, **kwargs)
108110

109-
return rd.give_permission(user, obj)
111+
assignment = rd.give_permission(user, obj)
112+
# reverse sync the assignment
113+
maybe_reverse_sync_assignment(assignment)
114+
return assignment
110115

111116
def get_or_create(self, permissions=(), defaults=None, **kwargs):
112117
"Add extra feature on top of existing get_or_create to use permissions list"

test_app/tests/rbac/features/test_creator_permission.py

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
from unittest import mock
2+
13
import pytest
24
from django.apps import apps
35
from django.test.utils import override_settings
@@ -76,3 +78,14 @@ def test_creator_permission_for_unregistered_model(rando):
7678
assert DABContentType.objects.count() == prior_ct # did not create anything
7779
assert RoleUserAssignment.objects.count() == prior_assignments
7880
assert RoleDefinition.objects.count() == prior_rds
81+
82+
83+
@pytest.mark.django_db
84+
def test_creator_permission_does_reverse_sync(rando, inventory):
85+
# mock maybe_reverse_sync_assignment
86+
with mock.patch('ansible_base.rbac.models.role.maybe_reverse_sync_assignment') as mock_maybe_reverse_sync_assignment:
87+
RoleDefinition.objects.give_creator_permissions(rando, inventory)
88+
mock_maybe_reverse_sync_assignment.assert_called_once()
89+
RoleDefinition.objects.give_creator_permissions(rando, inventory)
90+
# assert mock was not called another time
91+
mock_maybe_reverse_sync_assignment.assert_called_once()

0 commit comments

Comments
 (0)