awx icon indicating copy to clipboard operation
awx copied to clipboard

Published 20 hours ago verified publisher icon ansible

Added setting for disallow to approve their own workflows

Open oweel opened this issue 3 years ago • 9 comments

SUMMARY

Added setting for disallow users to approve their own workflow jobs

#10610

ISSUE TYPE
  • New or Enhanced Feature
COMPONENT NAME
  • API
  • UI
AWX VERSION
19.2.2
ADDITIONAL INFORMATION

oweel avatar Aug 10 '21 03:08 oweel

@oweel. This is really great work. Thank you for submitting this. I pulled this code down and went through the steps of creating 2 workflow approval nodes. One of them was set up to allow self approval of the node, and the other was set up to not allow self approval. I was able to self approve the 1 that was set up to not allow self approval. We need to add some permission. We should add some tests for this use case as well.
Screen Shot 2021-08-12 at 11 18 26 AM

AlexSCorey avatar Aug 12 '21 16:08 AlexSCorey

@AlexSCorey. Thank you for your feedback!

Maybe you do it under the admin user? Is this case - workflow approve is allow for superusers. https://github.com/ansible/awx/blob/61a3074800ba479c1a7d05dea2af5d0a918d7b96/awx/main/access.py#L2859-L2866

oweel avatar Aug 13 '21 10:08 oweel

@oweel For my 2nd run through of this work I created 2 users that have admin permission on the workflow job template, but are not super users. User 1 created the approval node and launched the job. When that user goes to approve the job the approval button is active (it should be disabled), but when that user presses the button they get an api error (as I would expect saying the user doesn't have permission to approve their own workflow).

Then, I signed in as User 2. When this user goes to approve the node the Approval button is active (as expected) but when they click the approve button they also get an api error saying the user doesn't have permission to approve their own workflow.

AlexSCorey avatar Aug 19 '21 14:08 AlexSCorey

@oweel For my 2nd run through of this work I created 2 users that have admin permission on the workflow job template, but are not super users. User 1 created the approval node and launched the job. When that user goes to approve the job the approval button is active (it should be disabled), but when that user presses the button they get an api error (as I would expect saying the user doesn't have permission to approve their own workflow).

Then, I signed in as User 2. When this user goes to approve the node the Approval button is active (as expected) but when they click the approve button they also get an api error saying the user doesn't have permission to approve their own workflow.

@AlexSCorey Sorry, i fix them. Thank you for the bug found! Also, I made the "Approve" button inactive if the user does not have permission to.

oweel avatar Aug 26 '21 09:08 oweel

@oweel can you rebase this PR so that I can review it? I think it is a few commits behind devel

AlexSCorey avatar Sep 07 '21 15:09 AlexSCorey

@AlexSCorey All is ready :)

oweel avatar Sep 07 '21 16:09 oweel

Hi @oweel , could you please renumber your migration file (to 0156) as well as rename it (currently named awx/main/migrations/0153_auto_20210804_0938.py)?

You can see the pattern of numbering and naming in this directory: https://github.com/ansible/awx/tree/devel/awx/main/migrations

0156_self_approve_wfjt.py might be something that works, but feel free to choose a different name.

beeankha avatar Sep 13 '21 14:09 beeankha

@oweel I think this needs another rebase

AlexSCorey avatar Oct 01 '21 15:10 AlexSCorey

Not a priority

AlexSCorey avatar Sep 13 '22 20:09 AlexSCorey