From ec2bf4476de241891c59e820c2433dbf0074b1cb Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Thu, 14 Jul 2016 11:16:16 -0400
Subject: [PATCH 1/2] ensure system admin/auditor can see orphan inventory
 scripts

---
 awx/api/serializers.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 2f58b776f4..bbbbabdb5d 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1270,7 +1270,9 @@ class CustomInventoryScriptSerializer(BaseSerializer):
         if obj is None:
             return ret
         request = self.context.get('request', None)
-        if request.user not in obj.admin_role:
+        if request.user not in obj.admin_role and \
+           not request.user.is_superuser and \
+           not request.user.is_system_auditor:
             ret['script'] = None
         return ret
 

From b9de0b196d59acf9505c0f0ce46075d31bd70814 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 15 Jul 2016 10:32:52 -0400
Subject: [PATCH 2/2] add test for CustomInventoryScript serializer

---
 awx/main/tests/unit/api/test_serializers.py | 48 ++++++++++++++++++++-
 1 file changed, 46 insertions(+), 2 deletions(-)

diff --git a/awx/main/tests/unit/api/test_serializers.py b/awx/main/tests/unit/api/test_serializers.py
index a8fb25d005..2496ba9a2d 100644
--- a/awx/main/tests/unit/api/test_serializers.py
+++ b/awx/main/tests/unit/api/test_serializers.py
@@ -1,14 +1,31 @@
 # Python
 import pytest
 import mock
+from mock import PropertyMock
 import json
 
 # AWX
-from awx.api.serializers import JobTemplateSerializer, JobSerializer, JobOptionsSerializer
-from awx.main.models import Label, Job
+from awx.api.serializers import (
+    JobTemplateSerializer,
+    JobSerializer,
+    JobOptionsSerializer,
+    CustomInventoryScriptSerializer,
+)
+from awx.main.models import (
+    Label,
+    Job,
+    CustomInventoryScript,
+    User,
+)
 
 #DRF
+from rest_framework.request import Request
 from rest_framework import serializers
+from rest_framework.test import (
+    APIRequestFactory,
+    force_authenticate,
+)
+
 
 def mock_JT_resource_data():
     return ({}, [])
@@ -189,3 +206,30 @@ class TestJobTemplateSerializerValidation(object):
         for ev in self.bad_extra_vars:
             with pytest.raises(serializers.ValidationError):
                 serializer.validate_extra_vars(ev)
+
+class TestCustomInventoryScriptSerializer(object):
+
+    @pytest.mark.parametrize("superuser,sysaudit,admin_role,value",
+                             ((True, False, False, '#!/python'),
+                              (False, True, False, '#!/python'),
+                              (False, False, True, '#!/python'),
+                              (False, False, False, None)))
+    def test_to_representation_orphan(self, superuser, sysaudit, admin_role, value):
+        with mock.patch.object(CustomInventoryScriptSerializer, 'get_summary_fields', return_value={}):
+                User.add_to_class('is_system_auditor', sysaudit)
+                user = User(username="root", is_superuser=superuser)
+                roles = [user] if admin_role else []
+
+                with mock.patch('awx.main.models.CustomInventoryScript.admin_role', new_callable=PropertyMock, return_value=roles):
+                    cis = CustomInventoryScript(pk=1, script='#!/python')
+                    serializer = CustomInventoryScriptSerializer()
+
+                    factory = APIRequestFactory()
+                    wsgi_request = factory.post("/inventory_script/1", {'id':1}, format="json")
+                    force_authenticate(wsgi_request, user)
+
+                    request = Request(wsgi_request)
+                    serializer.context['request'] = request
+
+                    representation = serializer.to_representation(cis)
+                    assert representation['script'] == value