Check member of org when granting cred (#15353)

A user needs to be a member of the org in order to use a credential in that org. We were incorrectly checking for "change" permission of the org, instead of "member". Signed-off-by: Seth Foster <fosterbseth@gmail.com>
2026-01-10 15:32:07 -03:30 · 2024-07-10 21:46:26 -04:00 · 2024-07-10 21:46:26 -04:00 · 209e7e27b1
commit 209e7e27b1
parent 6c7d29a982
2 changed files with 3 additions and 3 deletions
--- a/awx/main/models/credential/init.py
+++ b/awx/main/models/credential/init.py
@ -323,7 +323,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
    def validate_role_assignment(self, actor, role_definition):
        if self.organization:
            if isinstance(actor, User):
-                if actor.is_superuser or Organization.access_qs(actor, 'change').filter(id=self.organization.id).exists():
+                if actor.is_superuser or Organization.access_qs(actor, 'member').filter(id=self.organization.id).exists():
                    return
            if isinstance(actor, Team):
                if actor.organization == self.organization:
--- a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
@ -128,7 +128,7 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
    rd = RoleDefinition.objects.get(name="Credential Admin")
    credential.organization = organization
    credential.save(update_fields=['organization'])
-    assert credential.organization not in Organization.access_qs(rando, 'change')
+    assert credential.organization not in Organization.access_qs(rando, 'member')
    url = django_reverse('roleuserassignment-list')
    resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400)
    assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data)
@ -139,7 +139,7 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
    post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)

    # can assign credential to org_admin
-    assert credential.organization in Organization.access_qs(org_admin, 'change')
+    assert credential.organization in Organization.access_qs(org_admin, 'member')
    post(url=url, data={"user": org_admin.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)