From 381e44c2a2ae912874688e1f2db852f2ad3de475 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominger@ansible.com>
Date: Thu, 26 May 2016 16:42:05 -0400
Subject: [PATCH] updates for job can_delete

---
 awx/main/access.py                         | 28 +++++++----
 awx/main/tests/functional/test_rbac_job.py | 57 ++++++++++++++++++----
 2 files changed, 66 insertions(+), 19 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index a8a3782e86..802e5b4064 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -828,6 +828,16 @@ class JobTemplateAccess(BaseAccess):
         return self.user in obj.admin_role
 
 class JobAccess(BaseAccess):
+    '''
+    I can see jobs when:
+     - I am a superuser.
+     - I can see its job template
+     - I am an admin or auditor of the organization which contains its inventory
+     - I am an admin or auditor of the organization which contains its project
+    I can delete jobs when:
+     - I am an admin of the organization which contains its inventory
+     - I am an admin of the organization which contains its project
+    '''
 
     model = Job
 
@@ -848,14 +858,10 @@ class JobAccess(BaseAccess):
         if not org_access_qs.exists():
             return qs_jt
 
-        qs_scan_orphan = qs.filter(
-            job_type=PERM_INVENTORY_SCAN,
-            inventory__organization__in=org_access_qs
-        )
-        qs_orphan = qs.filter(
-            project__organization__in=org_access_qs
-        ).exclude(job_type=PERM_INVENTORY_SCAN)
-        return (qs_jt | qs_orphan | qs_scan_orphan).distinct()
+        return qs.filter(
+            Q(job_template__in=JobTemplate.accessible_objects(self.user, 'read_role')) |
+            Q(inventory__organization__in=org_access_qs) |
+            Q(project__organization__in=org_access_qs)).distinct()
 
     def can_add(self, data):
         if not data or '_method' in data:  # So the browseable API will work?
@@ -885,7 +891,11 @@ class JobAccess(BaseAccess):
 
     @check_superuser
     def can_delete(self, obj):
-        return self.user in obj.inventory.admin_role
+        if obj.inventory is not None and self.user in obj.inventory.organization.admin_role:
+            return True
+        if obj.project is not None and self.user in obj.project.organization.admin_role:
+            return True
+        return False
 
     def can_start(self, obj):
         self.check_license()
diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py
index 4d37e926bf..f54d661095 100644
--- a/awx/main/tests/functional/test_rbac_job.py
+++ b/awx/main/tests/functional/test_rbac_job.py
@@ -5,31 +5,68 @@ from awx.main.models import Job
 
 
 @pytest.fixture
-def orphan_job(deploy_jobtemplate):
+def normal_job(deploy_jobtemplate):
     return Job.objects.create(
-        job_template=None,
+        job_template=deploy_jobtemplate,
         project=deploy_jobtemplate.project,
         inventory=deploy_jobtemplate.inventory
     )
 
+# Read permissions testing
 @pytest.mark.django_db
-def test_superuser_sees_orphans(admin_user, orphan_job):
+def test_superuser_sees_orphans(normal_job, admin_user):
+    normal_job.job_template = None
     access = JobAccess(admin_user)
-    assert access.can_read(orphan_job)
+    assert access.can_read(normal_job)
 
 @pytest.mark.django_db
-def test_org_member_does_not_see_orphans(org_member, orphan_job, project):
+def test_org_member_does_not_see_orphans(normal_job, org_member, project):
+    normal_job.job_template = None
     # Check that privledged access to project still does not grant access
     project.admin_role.members.add(org_member)
     access = JobAccess(org_member)
-    assert not access.can_read(orphan_job)
+    assert not access.can_read(normal_job)
 
 @pytest.mark.django_db
-def test_org_admin_sees_orphans(org_admin, orphan_job):
+def test_org_admin_sees_orphans(normal_job, org_admin):
+    normal_job.job_template = None
     access = JobAccess(org_admin)
-    assert access.can_read(orphan_job)
+    assert access.can_read(normal_job)
 
 @pytest.mark.django_db
-def test_org_auditor_sees_orphans(org_auditor, orphan_job):
+def test_org_auditor_sees_orphans(normal_job, org_auditor):
+    normal_job.job_template = None
     access = JobAccess(org_auditor)
-    assert access.can_read(orphan_job)
+    assert access.can_read(normal_job)
+
+# Delete permissions testing
+@pytest.mark.django_db
+def test_JT_admin_delete_denied(normal_job, rando):
+    normal_job.job_template.admin_role.members.add(rando)
+    access = JobAccess(rando)
+    assert not access.can_delete(normal_job)
+
+@pytest.mark.django_db
+def test_inventory_admin_delete_denied(normal_job, rando):
+    normal_job.job_template.inventory.admin_role.members.add(rando)
+    access = JobAccess(rando)
+    assert not access.can_delete(normal_job)
+
+@pytest.mark.django_db
+def test_null_related_delete_denied(normal_job, rando):
+    normal_job.project = None
+    normal_job.inventory = None
+    access = JobAccess(rando)
+    assert not access.can_delete(normal_job)
+
+@pytest.mark.django_db
+def test_inventory_org_admin_delete_allowed(normal_job, org_admin):
+    normal_job.project = None # do this so we test job->inventory->org->admin connection
+    access = JobAccess(org_admin)
+    assert access.can_delete(normal_job)
+
+@pytest.mark.django_db
+def test_project_org_admin_delete_allowed(normal_job, org_admin):
+    normal_job.inventory = None # do this so we test job->project->org->admin connection
+    access = JobAccess(org_admin)
+    assert access.can_delete(normal_job)