From 282ba36839ec2782c760ee62fed7e04320166209 Mon Sep 17 00:00:00 2001
From: Alan Rominger <arominge@redhat.com>
Date: Tue, 9 Jul 2024 16:55:09 -0400
Subject: [PATCH] Fix EE admin not being able to PATCH/PUT object while
 providing `organization` (#15348)

* Fix bug where EE object-level admin could not set organization

* Finish polishing up test
---
 awx/main/access.py                            |  4 ----
 .../test_rbac_execution_environment.py        | 22 +++++++++++++++++--
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 9765b2ff91..a1cd956fd1 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1419,10 +1419,6 @@ class ExecutionEnvironmentAccess(BaseAccess):
         else:
             if self.user not in obj.organization.execution_environment_admin_role:
                 raise PermissionDenied
-        if data and 'organization' in data:
-            new_org = get_object_from_data('organization', Organization, data, obj=obj)
-            if not new_org or self.user not in new_org.execution_environment_admin_role:
-                return False
         return self.check_related('organization', Organization, data, obj=obj, role_field='execution_environment_admin_role')
 
     def can_delete(self, obj):
diff --git a/awx/main/tests/functional/test_rbac_execution_environment.py b/awx/main/tests/functional/test_rbac_execution_environment.py
index b8d27f7cc4..42af780595 100644
--- a/awx/main/tests/functional/test_rbac_execution_environment.py
+++ b/awx/main/tests/functional/test_rbac_execution_environment.py
@@ -105,11 +105,29 @@ def test_give_object_permission_to_ee(org_ee, ee_rd, org_member, check_user_capa
     check_user_capabilities(org_member, org_ee, {'edit': False, 'delete': False, 'copy': False})
 
     ee_rd.give_permission(org_member, org_ee)
-    assert access.can_change(org_ee, {'name': 'new'})
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org_ee.organization.id})
 
     check_user_capabilities(org_member, org_ee, {'edit': True, 'delete': True, 'copy': False})
 
 
+@pytest.mark.django_db
+def test_need_related_organization_access(org_ee, ee_rd, org_member):
+    org2 = Organization.objects.create(name='another organization')
+    ee_rd.give_permission(org_member, org_ee)
+    org2.member_role.members.add(org_member)
+    access = ExecutionEnvironmentAccess(org_member)
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org_ee.organization})
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org_ee.organization.id})
+    assert not access.can_change(org_ee, {'name': 'new', 'organization': org2.id})
+    assert not access.can_change(org_ee, {'name': 'new', 'organization': org2})
+
+    # User can make the change if they have relevant permission to the new organization
+    org_ee.organization.execution_environment_admin_role.members.add(org_member)
+    org2.execution_environment_admin_role.members.add(org_member)
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org2.id})
+    assert access.can_change(org_ee, {'name': 'new', 'organization': org2})
+
+
 @pytest.mark.django_db
 @pytest.mark.parametrize('style', ['new', 'old'])
 def test_give_org_permission_to_ee(org_ee, organization, org_member, check_user_capabilities, style, org_ee_rd):
@@ -123,5 +141,5 @@ def test_give_org_permission_to_ee(org_ee, organization, org_member, check_user_
     else:
         organization.execution_environment_admin_role.members.add(org_member)
 
-    assert access.can_change(org_ee, {'name': 'new'})
+    assert access.can_change(org_ee, {'name': 'new', 'organization': organization.id})
     check_user_capabilities(org_member, org_ee, {'edit': True, 'delete': True, 'copy': True})