fix a subtle bug in awx.main.access.OAuth2ApplicationAccess.can_read

see: https://github.com/ansible/tower/issues/2952

awx/main/access.py

@@ -611,7 +611,8 @@ class OAuth2ApplicationAccess(BaseAccess):
     select_related = ('user',)
 
     def filtered_queryset(self):
-        return self.model.objects.filter(organization__in=self.user.organizations)
+        org_access_qs = Organization.accessible_objects(self.user, 'member_role')
+        return self.model.objects.filter(organization__in=org_access_qs)
 
     def can_change(self, obj, data):
         return self.user.is_superuser or self.check_related('organization', Organization, data, obj=obj, 

awx/main/tests/functional/test_rbac_oauth.py

@@ -34,8 +34,17 @@ class TestOAuth2Application:
                     client_type='confidential', authorization_grant_type='password', organization=organization
                 )
                 assert access.can_read(app) is can_access    
-                
+
-        
+        def test_admin_only_can_read(self, user, organization):
+            user = user('org-admin', False)
+            organization.admin_role.members.add(user)
+            access = OAuth2ApplicationAccess(user)
+            app = Application.objects.create(
+                name='test app for {}'.format(user.username), user=user,
+                client_type='confidential', authorization_grant_type='password', organization=organization
+            )
+            assert access.can_read(app) is True
+
         def test_app_activity_stream(self, org_admin, alice, organization):
             app = Application.objects.create(
                 name='test app for {}'.format(org_admin.username), user=org_admin,