Merge pull request #6545 from fosterseth/fix-4198-readd-user-to-org

Fix adding orphaned user to org Reviewed-by: https://github.com/apps/softwarefactory-project-zuul
2026-01-19 21:51:26 -03:30 · 2020-04-06 21:10:38 +00:00 · 2020-04-06 21:10:38 +00:00 · 42705c9eb0
commit 42705c9eb0
parent 60d499e11c 843c22c6b1
2 changed files with 9 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -11,7 +11,6 @@ from functools import reduce
 from django.conf import settings
 from django.db.models import Q, Prefetch
 from django.contrib.auth.models import User
-from django.contrib.contenttypes.models import ContentType
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ObjectDoesNotExist

@ -642,8 +641,8 @@ class UserAccess(BaseAccess):
                # in these cases only superusers can modify orphan users
                return False
            return not obj.roles.all().exclude(
-                content_type=ContentType.objects.get_for_model(User)
-            ).filter(ancestors__in=self.user.roles.all()).exists()
+                ancestors__in=self.user.roles.all()
+            ).exists()
        else:
            return self.is_all_org_admin(obj)

--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@ -60,6 +60,8 @@ def test_org_user_role_attach(user, organization, inventory):
    '''
    admin = user('admin')
    nonmember = user('nonmember')
+    other_org = Organization.objects.create(name="other_org")
+    other_org.member_role.members.add(nonmember)
    inventory.admin_role.members.add(nonmember)

    organization.admin_role.members.add(admin)
@ -186,13 +188,17 @@ def test_need_all_orgs_to_admin_user(user):

 # Orphaned user can be added to member role, only in special cases
@pytest.mark.django_db
-def test_orphaned_user_allowed(org_admin, rando, organization):
+def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
    '''
    We still allow adoption of orphaned* users by assigning them to
    organization member role, but only in the situation where the
    org admin already posesses indirect access to all of the user's roles
    *orphaned means user is not a member of any organization
    '''
+    # give a descendent role to rando, to trigger the conditional
+    # where all ancestor roles of rando should be in the set of
+    # org_admin roles.
+    org_credential.admin_role.members.add(rando)
    role_access = RoleAccess(org_admin)
    org_access = OrganizationAccess(org_admin)
    assert role_access.can_attach(organization.member_role, rando, 'members', None)