From 764ed8d576f8862fa970c6e38975dcd05e8bdecd Mon Sep 17 00:00:00 2001
From: Aaron Tan <jangsutsr@gmail.com>
Date: Mon, 3 Oct 2016 15:37:33 -0400
Subject: [PATCH 1/2] Change JT can_change behavior.

---
 awx/main/access.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index a0dd395bda..a47e1a6445 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1066,7 +1066,7 @@ class JobTemplateAccess(BaseAccess):
                 required_obj = getattr(obj, required_field, None)
                 if required_field not in data_for_change and required_obj is not None:
                     data_for_change[required_field] = required_obj.pk
-        return self.can_read(obj) and self.can_add(data_for_change)
+        return self.can_read(obj) and (self.can_add(data_for_change) if data is not None else True)
 
     def changes_are_non_sensitive(self, obj, data):
         '''

From 2be5d2f23f372c18411d1c91606820d914e0c473 Mon Sep 17 00:00:00 2001
From: Aaron Tan <jangsutsr@gmail.com>
Date: Mon, 3 Oct 2016 17:32:43 -0400
Subject: [PATCH 2/2] Unit test added.

---
 awx/main/tests/functional/test_rbac_job_templates.py | 7 +++++++
 awx/main/tests/functional/test_rbac_label.py         | 1 -
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py
index c8cc2b8502..8905eb21a0 100644
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -240,3 +240,10 @@ def test_job_template_creator_access(project, rando, post):
     jt_obj = JobTemplate.objects.get(pk=jt_pk)
     # Creating a JT should place the creator in the admin role
     assert rando in jt_obj.admin_role
+
+@pytest.mark.django_db
+def test_associate_label(label, user, job_template):
+    access = JobTemplateAccess(user('joe', False))
+    job_template.admin_role.members.add(user('joe', False))
+    label.organization.read_role.members.add(user('joe', False))
+    assert access.can_attach(job_template, label, 'labels', None)
diff --git a/awx/main/tests/functional/test_rbac_label.py b/awx/main/tests/functional/test_rbac_label.py
index e425d50908..98daa5cdec 100644
--- a/awx/main/tests/functional/test_rbac_label.py
+++ b/awx/main/tests/functional/test_rbac_label.py
@@ -61,4 +61,3 @@ def test_label_access_user(label, user):
 
     assert access.can_read(label)
     assert access.can_add({'organization': label.organization.id})
-