From 3abbe87e10ef8dfab4e612e330a67f5327170b23 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 2 Oct 2017 11:17:18 -0400
Subject: [PATCH] fix bug checking WFJT node for prompted resources

---
 awx/main/access.py                              |  4 ++--
 awx/main/tests/functional/test_rbac_workflow.py | 16 +++++++++++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index c2dae1397c..75fd3ce1e7 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1605,9 +1605,9 @@ class WorkflowJobTemplateNodeAccess(BaseAccess):
         if 'credential' in data or 'inventory' in data:
             new_data = data
             if 'credential' not in data:
-                new_data['credential'] = self.credential
+                new_data['credential'] = obj.credential
             if 'inventory' not in data:
-                new_data['inventory'] = self.inventory
+                new_data['inventory'] = obj.inventory
             return self.can_use_prompted_resources(new_data)
         return True
 
diff --git a/awx/main/tests/functional/test_rbac_workflow.py b/awx/main/tests/functional/test_rbac_workflow.py
index c069a8dbad..84b02b5690 100644
--- a/awx/main/tests/functional/test_rbac_workflow.py
+++ b/awx/main/tests/functional/test_rbac_workflow.py
@@ -57,7 +57,21 @@ class TestWorkflowJobTemplateNodeAccess:
         # without access to the related job template, admin to the WFJT can
         # not change the prompted parameters
         access = WorkflowJobTemplateNodeAccess(org_admin)
-        assert not access.can_change(wfjt_node, {'job_type': 'scan'})
+        assert not access.can_change(wfjt_node, {'job_type': 'check'})
+
+    def test_node_edit_allowed(self, wfjt_node, org_admin):
+        wfjt_node.unified_job_template.admin_role.members.add(org_admin)
+        access = WorkflowJobTemplateNodeAccess(org_admin)
+        assert access.can_change(wfjt_node, {'job_type': 'check'})
+
+    def test_prompted_resource_prevents_edit(self, wfjt_node, org_admin, machine_credential):
+        # without access to prompted resources, admin to the WFJT can
+        # not change the other prompted resources
+        wfjt_node.unified_job_template.admin_role.members.add(org_admin)
+        wfjt_node.credential = machine_credential
+        wfjt_node.save()
+        access = WorkflowJobTemplateNodeAccess(org_admin)
+        assert not access.can_change(wfjt_node, {'inventory': 45})
 
     def test_add_JT_no_start_perm(self, wfjt, job_template, rando):
         wfjt.admin_role.members.add(rando)