From 320803020278a3b3b43bc5d206bec2cc3857a005 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominger@ansible.com>
Date: Tue, 24 May 2016 11:51:37 -0400
Subject: [PATCH] job read access for org auditors

---
 awx/main/access.py                         | 9 +++++----
 awx/main/tests/functional/conftest.py      | 7 +++++++
 awx/main/tests/functional/test_rbac_job.py | 5 +++++
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 30b2bc1fa4..a8a3782e86 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -843,16 +843,17 @@ class JobAccess(BaseAccess):
             job_template__in=JobTemplate.accessible_objects(self.user, 'read_role')
         )
 
-        admin_of_organizations_qs = self.user.admin_of_organizations
-        if not admin_of_organizations_qs.exists():
+        org_access_qs = Organization.objects.filter(
+            Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
+        if not org_access_qs.exists():
             return qs_jt
 
         qs_scan_orphan = qs.filter(
             job_type=PERM_INVENTORY_SCAN,
-            inventory__organization__in=admin_of_organizations_qs
+            inventory__organization__in=org_access_qs
         )
         qs_orphan = qs.filter(
-            project__organization__in=admin_of_organizations_qs
+            project__organization__in=org_access_qs
         ).exclude(job_type=PERM_INVENTORY_SCAN)
         return (qs_jt | qs_orphan | qs_scan_orphan).distinct()
 
diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py
index 081ffca21e..94223ceb58 100644
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -215,6 +215,13 @@ def org_admin(user, organization):
     organization.member_role.members.add(ret)
     return ret
 
+@pytest.fixture
+def org_auditor(user, organization):
+    ret = user('org-auditor', False)
+    organization.auditor_role.members.add(ret)
+    organization.member_role.members.add(ret)
+    return ret
+
 @pytest.fixture
 def org_member(user, organization):
     ret = user('org-member', False)
diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py
index 4a176062d5..4d37e926bf 100644
--- a/awx/main/tests/functional/test_rbac_job.py
+++ b/awx/main/tests/functional/test_rbac_job.py
@@ -28,3 +28,8 @@ def test_org_member_does_not_see_orphans(org_member, orphan_job, project):
 def test_org_admin_sees_orphans(org_admin, orphan_job):
     access = JobAccess(org_admin)
     assert access.can_read(orphan_job)
+
+@pytest.mark.django_db
+def test_org_auditor_sees_orphans(org_auditor, orphan_job):
+    access = JobAccess(org_auditor)
+    assert access.can_read(orphan_job)