From 1b4dd7c7837e798b484d558e26b6ee03da583fba Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 4 Aug 2020 17:29:44 -0400
Subject: [PATCH] enforce Organization ownership of Galaxy credentials

---
 awx/api/serializers.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index cd47bcc4c1..360647b60a 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -2611,6 +2611,17 @@ class CredentialSerializer(BaseSerializer):
                 ret.remove(field)
         return ret
 
+    def validate_organization(self, org):
+        if (
+            self.instance and
+            self.instance.credential_type.kind == 'galaxy' and
+            org is None
+        ):
+            raise serializers.ValidationError(_(
+                "Galaxy credentials must be owned by an Organization."
+            ))
+        return org
+
     def validate_credential_type(self, credential_type):
         if self.instance and credential_type.pk != self.instance.credential_type.pk:
             for related_objects in (
@@ -2675,6 +2686,14 @@ class CredentialSerializerCreate(CredentialSerializer):
         if attrs.get('team'):
             attrs['organization'] = attrs['team'].organization
 
+        if (
+            attrs['credential_type'].kind == 'galaxy' and
+            list(owner_fields) != ['organization']
+        ):
+            raise serializers.ValidationError({"organization": _(
+                "Galaxy credentials must be owned by an Organization."
+            )})
+
         return super(CredentialSerializerCreate, self).validate(attrs)
 
     def create(self, validated_data):