From 14809c086dc977f7c4e2b937bf2341738bfe3ecf Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Thu, 16 Jun 2016 15:24:07 -0400
Subject: [PATCH] added some assertions to catch cycles, updated migration

---
 .../migrations/0025_v300_update_rbac_parents.py     |  7 ++++++-
 awx/main/models/organization.py                     |  2 +-
 awx/main/tests/functional/test_rbac_team.py         | 13 +++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/awx/main/migrations/0025_v300_update_rbac_parents.py b/awx/main/migrations/0025_v300_update_rbac_parents.py
index 0bf458987f..d2ceaab73b 100644
--- a/awx/main/migrations/0025_v300_update_rbac_parents.py
+++ b/awx/main/migrations/0025_v300_update_rbac_parents.py
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 from __future__ import unicode_literals
 
-from django.db import migrations, models
+from django.db import migrations
 import awx.main.fields
 
 
@@ -22,4 +22,9 @@ class Migration(migrations.Migration):
             name='member_role',
             field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
         ),
+        migrations.AlterField(
+            model_name='team',
+            name='read_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.auditor_role', b'member_role'], to='main.Role', null=b'True'),
+        ),
     ]
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index 0c14071644..3717171411 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -108,7 +108,7 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
         parent_role='admin_role',
     )
     read_role = ImplicitRoleField(
-        parent_role=['admin_role', 'organization.auditor_role', 'member_role'],
+        parent_role=['organization.auditor_role', 'member_role'],
     )
 
     def get_absolute_url(self):
diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py
index 8396464cfa..0c16ba9f6f 100644
--- a/awx/main/tests/functional/test_rbac_team.py
+++ b/awx/main/tests/functional/test_rbac_team.py
@@ -97,3 +97,16 @@ def test_team_admin_member_access(team, user, project):
     team.admin_role.members.add(u)
 
     assert len(Project.accessible_objects(u, 'use_role')) == 1
+
+
+@pytest.mark.django_db
+def test_org_admin_team_access(organization, team, user, project):
+    u = user('team_admin', False)
+    organization.admin_role.members.add(u)
+
+    team.organization = organization
+    team.save()
+
+    team.member_role.children.add(project.use_role)
+
+    assert len(Project.accessible_objects(u, 'use_role')) == 1