job read access for org auditors

awx/main/access.py

@@ -843,16 +843,17 @@ class JobAccess(BaseAccess):
             job_template__in=JobTemplate.accessible_objects(self.user, 'read_role')
         )
 
-        admin_of_organizations_qs = self.user.admin_of_organizations
+        org_access_qs = Organization.objects.filter(
-        if not admin_of_organizations_qs.exists():
+            Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
+        if not org_access_qs.exists():
             return qs_jt
 
         qs_scan_orphan = qs.filter(
             job_type=PERM_INVENTORY_SCAN,
-            inventory__organization__in=admin_of_organizations_qs
+            inventory__organization__in=org_access_qs
         )
         qs_orphan = qs.filter(
-            project__organization__in=admin_of_organizations_qs
+            project__organization__in=org_access_qs
         ).exclude(job_type=PERM_INVENTORY_SCAN)
         return (qs_jt | qs_orphan | qs_scan_orphan).distinct()
 

awx/main/tests/functional/conftest.py

@@ -215,6 +215,13 @@ def org_admin(user, organization):
     organization.member_role.members.add(ret)
     return ret
 
+@pytest.fixture
+def org_auditor(user, organization):
+    ret = user('org-auditor', False)
+    organization.auditor_role.members.add(ret)
+    organization.member_role.members.add(ret)
+    return ret
+
 @pytest.fixture
 def org_member(user, organization):
     ret = user('org-member', False)

awx/main/tests/functional/test_rbac_job.py

@@ -28,3 +28,8 @@ def test_org_member_does_not_see_orphans(org_member, orphan_job, project):
 def test_org_admin_sees_orphans(org_admin, orphan_job):
     access = JobAccess(org_admin)
     assert access.can_read(orphan_job)
+
+@pytest.mark.django_db
+def test_org_auditor_sees_orphans(org_auditor, orphan_job):
+    access = JobAccess(org_auditor)
+    assert access.can_read(orphan_job)