Validate org-user membership from gateway (#15508)

Adding credential and execution environment roles
validates that the user belongs to the same org
as the credential or EE.

In some situations, the user-org membership has not
yet been synced from gateway to controller.

In this case, controller will make a request to
gateway to check if the user is part of the org.

Signed-off-by: Seth Foster <fosterbseth@gmail.com>

awx/main/models/execution_environments.py

@@ -58,11 +58,20 @@ class ExecutionEnvironment(CommonModel):
     def get_absolute_url(self, request=None):
         return reverse('api:execution_environment_detail', kwargs={'pk': self.pk}, request=request)
 
-    def validate_role_assignment(self, actor, role_definition):
+    def validate_role_assignment(self, actor, role_definition, **kwargs):
+        from awx.main.models.credential import check_resource_server_for_user_in_organization
+
         if self.managed:
             raise ValidationError({'object_id': _('Can not assign object roles to managed Execution Environments')})
         if self.organization_id is None:
             raise ValidationError({'object_id': _('Can not assign object roles to global Execution Environments')})
 
-        if actor._meta.model_name == 'user' and (not actor.has_obj_perm(self.organization, 'view')):
+        if actor._meta.model_name == 'user':
+            if actor.has_obj_perm(self.organization, 'view'):
+                return
+
+            requesting_user = kwargs.get('requesting_user', None)
+            if check_resource_server_for_user_in_organization(actor, self.organization, requesting_user):
+                return
+
             raise ValidationError({'user': _('User must have view permission to Execution Environment organization')})