From 4f3213715e35704b4919f8a0c9d82ebaf0473f5c Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@splat.cc>
Date: Thu, 2 Apr 2020 14:59:42 -0400
Subject: [PATCH] Allow disassociating any user from a credential role.

This is preventing removing roles from users no longer in the organization.
---
 awx/api/views/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
index 1339c50c68..aca8d892a0 100644
--- a/awx/api/views/__init__.py
+++ b/awx/api/views/__init__.py
@@ -1092,7 +1092,7 @@ class UserRolesList(SubListAttachDetachAPIView):
 
         credential_content_type = ContentType.objects.get_for_model(models.Credential)
         if role.content_type == credential_content_type:
-            if role.content_object.organization and user not in role.content_object.organization.member_role:
+            if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
                 data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))
                 return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
@@ -4415,7 +4415,7 @@ class RoleUsersList(SubListAttachDetachAPIView):
 
         credential_content_type = ContentType.objects.get_for_model(models.Credential)
         if role.content_type == credential_content_type:
-            if role.content_object.organization and user not in role.content_object.organization.member_role:
+            if 'disassociate' not in request.data and role.content_object.organization and user not in role.content_object.organization.member_role:
                 data = dict(msg=_("You cannot grant credential access to a user not in the credentials' organization"))
                 return Response(data, status=status.HTTP_400_BAD_REQUEST)