From d85eda99c6b49bf9f9da1dfca2e6e56b07b5cc8f Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 22 Feb 2017 15:34:18 -0500
Subject: [PATCH] add back in Inv Src into schedule queryset computation

---
 awx/main/access.py                               |  7 +++++--
 awx/main/tests/functional/test_rbac_inventory.py | 15 ++++++++++++++-
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 314d152f10..20becf2cbe 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1966,8 +1966,11 @@ class ScheduleAccess(BaseAccess):
         if self.user.is_superuser or self.user.is_system_auditor:
             return qs.all()
 
-        unified_qs = UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role')
-        return qs.filter(unified_job_template__id__in=unified_qs)
+        unified_pk_qs = UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role')
+        inv_src_qs = InventorySource.objects.filter(inventory_id=Inventory._accessible_pk_qs(Inventory, self.user, 'read_role'))
+        return qs.filter(
+            Q(unified_job_template_id__in=unified_pk_qs) |
+            Q(unified_job_template_id__in=inv_src_qs.values_list('pk', flat=True)))
 
     @check_superuser
     def can_read(self, obj):
diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py
index b68003f049..6f26cacc54 100644
--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@@ -5,13 +5,15 @@ from awx.main.models import (
     Permission,
     Host,
     CustomInventoryScript,
+    Schedule
 )
 from awx.main.access import (
     InventoryAccess,
     InventorySourceAccess,
     HostAccess,
     InventoryUpdateAccess,
-    CustomInventoryScriptAccess
+    CustomInventoryScriptAccess,
+    ScheduleAccess
 )
 from django.apps import apps
 
@@ -277,3 +279,14 @@ def test_inventory_source_credential_check(rando, inventory_source, credential):
     inventory_source.group.inventory.admin_role.members.add(rando)
     access = InventorySourceAccess(rando)
     assert not access.can_change(inventory_source, {'credential': credential})
+
+
+@pytest.mark.django_db
+def test_inventory_source_org_admin_schedule_access(org_admin, inventory_source):
+    schedule = Schedule.objects.create(
+        unified_job_template=inventory_source,
+        rrule='DTSTART:20151117T050000Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=1')
+    access = ScheduleAccess(org_admin)
+    assert access.get_queryset()
+    assert access.can_read(schedule)
+    assert access.can_change(schedule, {'rrule': 'DTSTART:20151117T050000Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2'})