Merge pull request ansible#757 from AlanCoding/vault_cred_noop

allow no-op case for vault_credential
aladjadj · Dec 4, 2017 · 7fe22e9 · 7fe22e9
2 parents 42d8368 + dfc154e
commit 7fe22e9
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/awx/api/serializers.py b/awx/api/serializers.py
@@ -2446,7 +2446,8 @@ def validate(self, attrs):
                     cred = v1_credentials[attr] = Credential.objects.get(pk=pk)
                     if cred.credential_type.kind != kind:
                         raise serializers.ValidationError({attr: error})
-                    if view and view.request and view.request.user not in cred.use_role:
+                    if ((not self.instance or cred.pk != getattr(self.instance, attr)) and
+                            view and view.request and view.request.user not in cred.use_role):
                         raise PermissionDenied()
 
         if 'project' in self.fields and 'playbook' in self.fields:

diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -136,7 +136,7 @@ def test_job_template_can_add_extra_credentials(self, job_template, credential,
             job_template, credential, 'credentials', {})
 
     def test_job_template_vault_cred_check(self, mocker, job_template, vault_credential, rando, project):
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
         job_template.admin_role.members.add(rando)
         # not allowed to use the vault cred
         # this is checked in the serializer validate method, not access.py
@@ -151,9 +151,27 @@ def test_job_template_vault_cred_check(self, mocker, job_template, vault_credent
                 'ask_inventory_on_launch': True,
             })
 
+    def test_job_template_vault_cred_check_noop(self, mocker, job_template, vault_credential, rando, project):
+        # TODO: remove in 3.4
+        job_template.credentials.add(vault_credential)
+        job_template.admin_role.members.add(rando)
+        # not allowed to use the vault cred
+        # this is checked in the serializer validate method, not access.py
+        view = mocker.MagicMock()
+        view.request = mocker.MagicMock()
+        view.request.user = rando
+        serializer = JobTemplateSerializer(job_template, context={'view': view})
+        # should not raise error:
+        serializer.validate({
+            'vault_credential': vault_credential.pk,
+            'project': project,  # necessary because job_template fixture fails validation
+            'playbook': 'helloworld.yml',
+            'ask_inventory_on_launch': True,
+        })
+
     def test_new_jt_with_vault(self, mocker, vault_credential, project, rando):
         project.admin_role.members.add(rando)
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
         # this is checked in the serializer validate method, not access.py
         view = mocker.MagicMock()
         view.request = mocker.MagicMock()