From 1fb4a68047adcec5b6100e2dbe68cc26bba9bd23 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 8 Jun 2016 04:23:29 -0400
Subject: [PATCH] CredentialAccess should check for the owner_role earlier

---
 awx/main/access.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index f47635a03c..f475809a6d 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -586,6 +586,7 @@ class CredentialAccess(BaseAccess):
         if organization_pk:
             organization_obj = get_object_or_400(Organization, pk=organization_pk)
             return check_user_access(self.user, Organization, 'change', organization_obj, None)
+
         return False
 
 
@@ -595,9 +596,9 @@ class CredentialAccess(BaseAccess):
 
     @check_superuser
     def can_change(self, obj, data):
-        if not self.can_add(data):
-            return False
-        return self.user in obj.owner_role
+        if self.user in obj.owner_role:
+            return True
+        return self.can_add(data)
 
     def can_delete(self, obj):
         # Unassociated credentials may be marked deleted by anyone, though we