Fix object-level permission bugs with DAB RBAC system (#15284)

* Fix object-level permission bugs with DAB RBAC system

* Fix NT organization change regression

* Mark tests to AAP number

awx/main/tests/functional/api/test_instance_group.py

@@ -32,13 +32,6 @@ def node_type_instance():
     return fn
 
 
-@pytest.fixture
-def instance_group(job_factory):
-    ig = InstanceGroup(name="east")
-    ig.save()
-    return ig
-
-
 @pytest.fixture
 def containerized_instance_group(instance_group, kube_credential):
     ig = InstanceGroup(name="container")

awx/main/tests/functional/conftest.py

@@ -20,7 +20,7 @@ from awx.main.migrations._dab_rbac import setup_managed_role_definitions
 
 # AWX
 from awx.main.models.projects import Project
-from awx.main.models.ha import Instance
+from awx.main.models.ha import Instance, InstanceGroup
 
 from rest_framework.test import (
     APIRequestFactory,
@@ -730,6 +730,11 @@ def jt_linked(organization, project, inventory, machine_credential, credential,
     return jt
 
 
+@pytest.fixture
+def instance_group():
+    return InstanceGroup.objects.create(name="east")
+
+
 @pytest.fixture
 def workflow_job_template(organization):
     wjt = WorkflowJobTemplate.objects.create(name='test-workflow_job_template', organization=organization)

awx/main/tests/functional/dab_rbac/test_access_regressions.py

@@ -0,0 +1,23 @@
+import pytest
+
+from awx.main.access import InstanceGroupAccess, NotificationTemplateAccess
+
+from ansible_base.rbac.models import RoleDefinition
+
+
+@pytest.mark.django_db
+def test_instance_group_object_role_delete(rando, instance_group, setup_managed_roles):
+    """Basic functionality of IG object-level admin role function AAP-25506"""
+    rd = RoleDefinition.objects.get(name='InstanceGroup Admin')
+    rd.give_permission(rando, instance_group)
+    access = InstanceGroupAccess(rando)
+    assert access.can_delete(instance_group)
+
+
+@pytest.mark.django_db
+def test_notification_template_object_role_change(rando, notification_template, setup_managed_roles):
+    """Basic functionality of NT object-level admin role function AAP-25493"""
+    rd = RoleDefinition.objects.get(name='NotificationTemplate Admin')
+    rd.give_permission(rando, notification_template)
+    access = NotificationTemplateAccess(rando)
+    assert access.can_change(notification_template, {'name': 'new name'})

awx/main/tests/functional/test_rbac_notifications.py

@@ -99,7 +99,9 @@ def test_notification_template_access_org_user(notification_template, user):
 @pytest.mark.django_db
 def test_notificaiton_template_orphan_access_org_admin(notification_template, organization, org_admin):
     notification_template.organization = None
+    notification_template.save(update_fields=['organization'])
     access = NotificationTemplateAccess(org_admin)
+    assert not org_admin.has_obj_perm(notification_template, 'change')
     assert not access.can_change(notification_template, {'organization': organization.id})