Merge pull request #3062 from AlanCoding/3037_orphan_proj

orphan project protection in job delete access (API 3.0.1)

awx/main/access.py

@@ -1081,7 +1081,8 @@ class JobAccess(BaseAccess):
     def can_delete(self, obj):
         if obj.inventory is not None and self.user in obj.inventory.organization.admin_role:
             return True
-        if obj.project is not None and self.user in obj.project.organization.admin_role:
+        if (obj.project is not None and obj.project.organization is not None and
+                self.user in obj.project.organization.admin_role):
             return True
         return False
 

awx/main/tests/functional/test_rbac_job.py

@@ -92,6 +92,12 @@ def test_null_related_delete_denied(normal_job, rando):
     access = JobAccess(rando)
     assert not access.can_delete(normal_job)
 
+@pytest.mark.django_db
+def test_delete_job_with_orphan_proj(normal_job, rando):
+    normal_job.project.organization = None
+    access = JobAccess(rando)
+    assert not access.can_delete(normal_job)
+
 @pytest.mark.django_db
 def test_inventory_org_admin_delete_allowed(normal_job, org_admin):
     normal_job.project = None # do this so we test job->inventory->org->admin connection