fix: Allow superusers delete adhoc and playbook

apps/common/permissions.py

@@ -87,3 +87,12 @@ class IsValidLicense(permissions.BasePermission):
 
     def has_permission(self, request, view):
         return settings.XPACK_LICENSE_IS_VALID
+
+
+class IsOwnerOrAdminWritable(IsValidUser):
+    def has_object_permission(self, request, view, obj):
+        if request.user.is_superuser:
+            return super().has_permission(request, view)
+        if request.method != 'GET' and obj.creator != request.user:
+            return False
+        return super().has_permission(request, view)

apps/ops/api/adhoc.py

@@ -1,8 +1,8 @@
 # -*- coding: utf-8 -*-
 from django.db.models import Q
-from django.utils.translation import gettext_lazy as _
 
 from common.api.generic import JMSBulkModelViewSet
+from common.permissions import IsOwnerOrAdminWritable
 from common.utils.http import is_true
 from rbac.permissions import RBACPermission
 from ..const import Scope
@@ -17,7 +17,7 @@ __all__ = [
 class AdHocViewSet(JMSBulkModelViewSet):
     queryset = AdHoc.objects.all()
     serializer_class = AdHocSerializer
-    permission_classes = (RBACPermission,)
+    permission_classes = (RBACPermission, IsOwnerOrAdminWritable)
     search_fields = ('name', 'comment')
     filterset_fields = ['scope', 'creator']
 
@@ -26,13 +26,6 @@ class AdHocViewSet(JMSBulkModelViewSet):
             self.check_object_permissions(self.request, obj)
         return True
 
-    def check_object_permissions(self, request, obj):
-        if request.method != 'GET' and obj.creator != request.user:
-            self.permission_denied(
-                request, message={"detail": _("Deleting other people's script is not allowed")}
-            )
-        return super().check_object_permissions(request, obj)
-
     def get_queryset(self):
         queryset = super().get_queryset()
         user = self.request.user

apps/ops/api/playbook.py

@@ -11,6 +11,7 @@ from rest_framework import status
 
 from common.api.generic import JMSBulkModelViewSet
 from common.exceptions import JMSException
+from common.permissions import IsOwnerOrAdminWritable
 from common.utils.http import is_true
 from rbac.permissions import RBACPermission
 from ..const import Scope
@@ -33,7 +34,7 @@ def unzip_playbook(src, dist):
 
 class PlaybookViewSet(JMSBulkModelViewSet):
     serializer_class = PlaybookSerializer
-    permission_classes = (RBACPermission,)
+    permission_classes = (RBACPermission, IsOwnerOrAdminWritable)
     queryset = Playbook.objects.all()
     search_fields = ('name', 'comment')
     filterset_fields = ['scope', 'creator']
@@ -43,13 +44,6 @@ class PlaybookViewSet(JMSBulkModelViewSet):
             self.check_object_permissions(self.request, obj)
         return True
 
-    def check_object_permissions(self, request, obj):
-        if request.method != 'GET' and obj.creator != request.user:
-            self.permission_denied(
-                request, message={"detail": _("Deleting other people's playbook is not allowed")}
-            )
-        return super().check_object_permissions(request, obj)
-
     def perform_destroy(self, instance):
         if instance.job_set.exists():
             raise JMSException(code='playbook_has_job', detail={"msg": _("Currently playbook is being used in a job")})