restrict editing of orphan notification templates to superusers

awx/main/access.py

@@ -1369,14 +1369,15 @@ class NotificationTemplateAccess(BaseAccess):
 
     @check_superuser
     def can_change(self, obj, data):
+        if obj.organization is None:
+            # only superusers are allowed to edit orphan notification templates
+            return False
         org_pk = get_pk_from_dict(data, 'organization')
         if obj and org_pk and obj.organization.pk != org_pk:
             org = get_object_or_400(Organization, pk=org_pk)
             if self.user not in org.admin_role:
                 return False
-        if obj.organization is not None:
+        return self.user in obj.organization.admin_role
-            return self.user in obj.organization.admin_role
-        return False
 
     def can_admin(self, obj, data):
         return self.can_change(obj, data)

awx/main/tests/functional/test_rbac_notifications.py

@@ -75,3 +75,9 @@ def test_notification_template_access_org_user(notification_template, user):
     assert not access.can_read(notification_template)
     assert not access.can_change(notification_template, None)
     assert not access.can_delete(notification_template)
+
+@pytest.mark.django_db
+def test_notificaiton_template_orphan_access_org_admin(notification_template, organization, org_admin):
+    notification_template.organization = None
+    access = NotificationTemplateAccess(org_admin)
+    assert not access.can_change(notification_template, {'organization': organization.id})