Skip to content

AAP-51957 Move to new DAB RBAC queryset patterns #16118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
AlanCoding wants to merge 2 commits into
base: devel
Choose a base branch
from
Draft

AAP-51957 Move to new DAB RBAC queryset patterns #16118

AlanCoding wants to merge 2 commits into from

Conversation

@AlanCoding
Copy link
Member

@AlanCoding AlanCoding commented Oct 7, 2025

SUMMARY

This is outright duplication with DAB, and this patch brings AWX into the same patterns as everything else.

ISSUE TYPE
  • Bug, Docs Fix or other nominal change
COMPONENT NAME
  • API

AlanCoding
AlanCoding commented Oct 7, 2025
View reviewed changes
awx/main/utils/common.py
filter_args.append(
Q(Q(**{'%s__pk__in' % res_path: parent_model.accessible_pk_qs(user, '%s_role' % role_type)}) | Q(**{'%s__isnull' % res_path: True}))
Q(
Q(**{'%s__pk__in' % res_path: parent_model.access_ids_qs(user, to_permissions['%s_role' % role_type])})
Copy link
Member Author

@AlanCoding AlanCoding Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test failure

  File "/awx_devel/awx/api/serializers.py", line 509, in _obj_capability_dict
    self.context['capability_map'] = prefetch_page_capabilities(model, qs, prefetch_list, view.request.user)
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/awx_devel/awx/main/utils/common.py", line 641, in prefetch_page_capabilities
    Q(**{'%s__pk__in' % res_path: parent_model.access_ids_qs(user, to_permissions['%s_role' % role_type])})
                                                                   ~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'project_admin_role'

this seems to come from the serializer, from

awx/awx/api/serializers.py

Line 1347 in 0d18308

capabilities_prefetch = ['admin', 'update', {'copy': 'organization.project_admin'}]

This is a coherent "old" role name, but it isn't fully baked in the new system. We just want to check "add_project" permission to the organization. We might want to completely change this contract to the new names to make this make sense.

AlanCoding
AlanCoding commented Oct 7, 2025
View reviewed changes
awx/main/models/unified_jobs.py
return cls.objects.filter(pk__in=cls.access_ids_qs(accessor, action))

@classmethod
def accessible_pk_qs(cls, accessor, role_field):
Copy link
Member Author

@AlanCoding AlanCoding Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will want to delete this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

component:api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlanCoding