Merge pull request #2930 from AlanCoding/2929_org_auditors_NT

Allow org auditors to view notification templates

awx/main/access.py

@@ -1371,13 +1371,17 @@ class NotificationTemplateAccess(BaseAccess):
         qs = self.model.objects.all()
         if self.user.is_superuser or self.user.is_system_auditor:
             return qs
-        return self.model.objects.filter(organization__in=Organization.accessible_objects(self.user, 'admin_role').all())
+        return self.model.objects.filter(
+            Q(organization__in=self.user.admin_of_organizations) |
+            Q(organization__in=self.user.auditor_of_organizations)
+        ).distinct()
 
     def can_read(self, obj):
         if self.user.is_superuser or self.user.is_system_auditor:
             return True
         if obj.organization is not None:
-            return self.user in obj.organization.admin_role
+            if self.user in obj.organization.admin_role or self.user in obj.organization.auditor_role:
+                return True
         return False
 
     @check_superuser

awx/main/tests/functional/test_rbac_notifications.py

@@ -24,6 +24,11 @@ def test_notification_template_get_queryset_orgadmin(notification_template, user
     notification_template.organization.admin_role.members.add(user('admin', False))
     assert access.get_queryset().count() == 1
 
+@pytest.mark.django_db
+def test_notification_template_get_queryset_org_auditor(notification_template, org_auditor):
+    access = NotificationTemplateAccess(org_auditor)
+    assert access.get_queryset().count() == 1
+
 @pytest.mark.django_db
 def test_notification_template_access_superuser(notification_template_factory):
     nf_objects = notification_template_factory('test-orphaned', organization='test', superusers=['admin'])