Add better error message for wfjt create 403 (#15309)

awx/api/views/__init__.py

@@ -3111,6 +3111,14 @@ class WorkflowJobTemplateList(ListCreateAPIView):
     serializer_class = serializers.WorkflowJobTemplateSerializer
     always_allow_superuser = False
 
+    def check_permissions(self, request):
+        if request.method == 'POST':
+            can_access, messages = request.user.can_access_with_errors(self.model, 'add', request.data)
+            if not can_access:
+                self.permission_denied(request, message=messages)
+
+        super(WorkflowJobTemplateList, self).check_permissions(request)
+
 
 class WorkflowJobTemplateDetail(RelatedJobsPreventDeleteMixin, RetrieveUpdateDestroyAPIView):
     model = models.WorkflowJobTemplate

awx/main/access.py

@@ -2091,11 +2091,20 @@ class WorkflowJobTemplateAccess(NotificationAttachMixin, BaseAccess):
         if not data:  # So the browseable API will work
             return Organization.accessible_objects(self.user, 'workflow_admin_role').exists()
 
-        return bool(
+        if not self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True):
-            self.check_related('organization', Organization, data, role_field='workflow_admin_role', mandatory=True)
+            if data.get('organization', None) is None:
-            and self.check_related('inventory', Inventory, data, role_field='use_role')
+                self.messages['organization'] = [_('An organization is required to create a workflow job template for normal user')]
-            and self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role')
+            return False
-        )
+
+        if not self.check_related('inventory', Inventory, data, role_field='use_role'):
+            self.messages['inventory'] = [_('You do not have use_role to the inventory')]
+            return False
+
+        if not self.check_related('execution_environment', ExecutionEnvironment, data, role_field='read_role'):
+            self.messages['execution_environment'] = [_('You do not have read_role to the execution environment')]
+            return False
+
+        return True
 
     def can_copy(self, obj):
         if self.save_messages:

awx/main/tests/functional/test_rbac_workflow.py

@@ -35,6 +35,13 @@ class TestWorkflowJobTemplateAccess:
         assert org_member in wfjt.execute_role
         assert org_member in wfjt.read_role
 
+    def test_non_super_admin_no_add_without_org(self, wfjt, organization, rando):
+        organization.member_role.members.add(rando)
+        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobTemplateAccess(rando, save_messages=True)
+        assert not access.can_add({'name': 'without org'})
+        assert 'An organization is required to create a workflow job template for normal user' in access.messages['organization']
+
 
 @pytest.mark.django_db
 class TestWorkflowJobTemplateNodeAccess: