From 209e7e27b19490f320893da202f03f4f15fad88f Mon Sep 17 00:00:00 2001
From: Seth Foster <fosterseth@users.noreply.github.com>
Date: Wed, 10 Jul 2024 21:46:26 -0400
Subject: [PATCH] Check member of org when granting cred (#15353)

A user needs to be a member of the org
in order to use a credential in that org.

We were incorrectly checking for "change"
permission of the org, instead of "member".

Signed-off-by: Seth Foster <fosterbseth@gmail.com>
---
 awx/main/models/credential/__init__.py                  | 2 +-
 awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/awx/main/models/credential/__init__.py b/awx/main/models/credential/__init__.py
index e79737b40d..e07553e1a9 100644
--- a/awx/main/models/credential/__init__.py
+++ b/awx/main/models/credential/__init__.py
@@ -323,7 +323,7 @@ class Credential(PasswordFieldsModel, CommonModelNameNotUnique, ResourceMixin):
     def validate_role_assignment(self, actor, role_definition):
         if self.organization:
             if isinstance(actor, User):
-                if actor.is_superuser or Organization.access_qs(actor, 'change').filter(id=self.organization.id).exists():
+                if actor.is_superuser or Organization.access_qs(actor, 'member').filter(id=self.organization.id).exists():
                     return
             if isinstance(actor, Team):
                 if actor.organization == self.organization:
diff --git a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
index ec7885a533..46a90e0ee4 100644
--- a/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
+++ b/awx/main/tests/functional/dab_rbac/test_dab_rbac_api.py
@@ -128,7 +128,7 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
     rd = RoleDefinition.objects.get(name="Credential Admin")
     credential.organization = organization
     credential.save(update_fields=['organization'])
-    assert credential.organization not in Organization.access_qs(rando, 'change')
+    assert credential.organization not in Organization.access_qs(rando, 'member')
     url = django_reverse('roleuserassignment-list')
     resp = post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=400)
     assert "You cannot grant credential access to a User not in the credentials' organization" in str(resp.data)
@@ -139,7 +139,7 @@ def test_assign_credential_to_user_of_another_org(setup_managed_roles, credentia
     post(url=url, data={"user": rando.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)
 
     # can assign credential to org_admin
-    assert credential.organization in Organization.access_qs(org_admin, 'change')
+    assert credential.organization in Organization.access_qs(org_admin, 'member')
     post(url=url, data={"user": org_admin.id, "role_definition": rd.id, "object_id": credential.id}, user=admin_user, expect=201)