From 4b57aa238a31ac9c4a9d9de580763a90740ab58e Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 19 Dec 2016 11:21:45 -0500
Subject: [PATCH] switch WFJT node permissions to execute and use levels

---
 awx/main/access.py                            | 19 +++++++-----------
 .../tests/functional/test_rbac_workflow.py    | 20 +++++++++++++++----
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 422ed6be7c..1de7049426 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1396,23 +1396,18 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
         return qs
 
     def can_use_prompted_resources(self, data):
-        if not self.check_related('credential', Credential, data):
-            return False
-        if not self.check_related('inventory', Inventory, data):
-            return False
-        return True
+        return (
+            self.check_related('credential', Credential, data, role_field='use_role') and
+            self.check_related('inventory', Inventory, data, role_field='use_role'))
 
     @check_superuser
     def can_add(self, data):
         if not data:  # So the browseable API will work
             return True
-        if not self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True):
-            return False
-        if not self.check_related('unified_job_template', UnifiedJobTemplate, data):
-            return False
-        if not self.can_use_prompted_resources(data):
-            return False
-        return True
+        return (
+            self.check_related('workflow_job_template', WorkflowJobTemplate, data, mandatory=True) and
+            self.check_related('unified_job_template', UnifiedJobTemplate, data, role_field='execute_role') and
+            self.can_use_prompted_resources(data))
 
     def wfjt_admin(self, obj):
         if not obj.workflow_job_template:
diff --git a/awx/main/tests/functional/test_rbac_workflow.py b/awx/main/tests/functional/test_rbac_workflow.py
index 2f52f83940..a0f0348e38 100644
--- a/awx/main/tests/functional/test_rbac_workflow.py
+++ b/awx/main/tests/functional/test_rbac_workflow.py
@@ -51,17 +51,29 @@ class TestWorkflowJobTemplateAccess:
 @pytest.mark.django_db
 class TestWorkflowJobTemplateNodeAccess:
 
-    def test_jt_access_to_edit(self, wfjt_node, org_admin):
+    def test_no_jt_access_to_edit(self, wfjt_node, org_admin):
+        # without access to the related job template, admin to the WFJT can
+        # not change the prompted parameters
         access = WorkflowJobTemplateNodeAccess(org_admin)
         assert not access.can_change(wfjt_node, {'job_type': 'scan'})
 
     def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
         wfjt.admin_role.members.add(rando)
-        access = WorkflowJobTemplateAccess(rando)
+        access = WorkflowJobTemplateNodeAccess(rando)
         job_template.read_role.members.add(rando)
         assert not access.can_add({
-            'workflow_job_template': wfjt.pk,
-            'unified_job_template': job_template.pk})
+            'workflow_job_template': wfjt,
+            'unified_job_template': job_template})
+
+    def test_add_node_with_minimum_permissions(self, wfjt, job_template, inventory, rando):
+        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobTemplateNodeAccess(rando)
+        job_template.execute_role.members.add(rando)
+        inventory.use_role.members.add(rando)
+        assert access.can_add({
+            'workflow_job_template': wfjt,
+            'inventory': inventory,
+            'unified_job_template': job_template})
 
     def test_remove_unwanted_foreign_node(self, wfjt_node, job_template, rando):
         wfjt = wfjt_node.workflow_job_template