From 843c22c6b192616291ada604b275e1319e2dad93 Mon Sep 17 00:00:00 2001
From: Seth Foster <fosterbseth@gmail.com>
Date: Thu, 2 Apr 2020 14:22:10 -0400
Subject: [PATCH] Allow orphaned user to be added to org

Fixed bug where an org admin was not able to add
an orphaned user to the org, in the case where the
orphan had an ancestor role that matched one of the
roles for of the org admin.

scenario to fix -- sue is member of cred1, where cred1 is
part of org1. org1 admin cannot add sue to org1, because
the cred1 role for sue has an ancestor to org1 role. The org1
admin cannot change or attach sue to org1.

tower issue #4198 and #4197
---
 awx/main/access.py                          | 5 ++---
 awx/main/tests/functional/test_rbac_role.py | 8 +++++++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index c1afd5c803..8891487fe0 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -11,7 +11,6 @@ from functools import reduce
 from django.conf import settings
 from django.db.models import Q, Prefetch
 from django.contrib.auth.models import User
-from django.contrib.contenttypes.models import ContentType
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ObjectDoesNotExist
 
@@ -650,8 +649,8 @@ class UserAccess(BaseAccess):
                 # in these cases only superusers can modify orphan users
                 return False
             return not obj.roles.all().exclude(
-                content_type=ContentType.objects.get_for_model(User)
-            ).filter(ancestors__in=self.user.roles.all()).exists()
+                ancestors__in=self.user.roles.all()
+            ).exists()
         else:
             return self.is_all_org_admin(obj)
 
diff --git a/awx/main/tests/functional/test_rbac_role.py b/awx/main/tests/functional/test_rbac_role.py
index 838a410d58..e308d1a6ea 100644
--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@@ -60,6 +60,8 @@ def test_org_user_role_attach(user, organization, inventory):
     '''
     admin = user('admin')
     nonmember = user('nonmember')
+    other_org = Organization.objects.create(name="other_org")
+    other_org.member_role.members.add(nonmember)
     inventory.admin_role.members.add(nonmember)
 
     organization.admin_role.members.add(admin)
@@ -186,13 +188,17 @@ def test_need_all_orgs_to_admin_user(user):
 
 # Orphaned user can be added to member role, only in special cases
 @pytest.mark.django_db
-def test_orphaned_user_allowed(org_admin, rando, organization):
+def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
     '''
     We still allow adoption of orphaned* users by assigning them to
     organization member role, but only in the situation where the
     org admin already posesses indirect access to all of the user's roles
     *orphaned means user is not a member of any organization
     '''
+    # give a descendent role to rando, to trigger the conditional
+    # where all ancestor roles of rando should be in the set of
+    # org_admin roles.
+    org_credential.admin_role.members.add(rando)
     role_access = RoleAccess(org_admin)
     org_access = OrganizationAccess(org_admin)
     assert role_access.can_attach(organization.member_role, rando, 'members', None)