From 3cf4d1feb8b6e9cf3784918b47bfe0ee33ade93f Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 10 Jun 2016 10:30:22 -0400
Subject: [PATCH] Fixing Credential access issue

---
 awx/main/access.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index f475809a6d..231ece8042 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -586,19 +586,21 @@ class CredentialAccess(BaseAccess):
         if organization_pk:
             organization_obj = get_object_or_400(Organization, pk=organization_pk)
             return check_user_access(self.user, Organization, 'change', organization_obj, None)
-
         return False
 
-
     @check_superuser
     def can_use(self, obj):
         return self.user in obj.use_role
 
     @check_superuser
     def can_change(self, obj, data):
-        if self.user in obj.owner_role:
-            return True
-        return self.can_add(data)
+        if data is not None:
+            keys = data.keys()
+            if 'user' in keys or 'team' in keys or 'organization' in keys:
+                if not self.can_add(data):
+                    return False
+
+        return self.user in obj.owner_role
 
     def can_delete(self, obj):
         # Unassociated credentials may be marked deleted by anyone, though we