AC-711 Allow org admins to see all users.

awx/main/access.py

@@ -156,7 +156,8 @@ class UserAccess(BaseAccess):
     I can see user records when:
      - I'm a superuser.
      - I'm that user.
-     - I'm their org admin.
+     - I'm an org admin (org admins should be able to see all users, in order
+       to add those users to the org).
      - I'm in an org with that user.
      - I'm on a team with that user.
     I can change some fields for a user (mainly password) when I am that user.
@@ -171,6 +172,8 @@ class UserAccess(BaseAccess):
         qs = self.model.objects.filter(is_active=True).distinct()
         if self.user.is_superuser:
             return qs
+        if self.user.admin_of_organizations.count():
+            return qs
         return qs.filter(
             Q(pk=self.user.pk) |
             Q(organizations__in=self.user.admin_of_organizations.all()) |

awx/main/tests/users.py

@@ -226,8 +226,9 @@ class UsersTest(BaseTest):
         url = reverse('api:user_list')
         data3 = self.get(url, expect=200, auth=self.get_super_credentials())
         self.assertEquals(data3['count'], 4)
+        # Normal user is an org admin, can see all users.
         data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
-        self.assertEquals(data2['count'], 2)
+        self.assertEquals(data2['count'], 4)
         data1 = self.get(url, expect=200, auth=self.get_other_credentials())
         self.assertEquals(data1['count'], 2)