From 503fc8ceb4254ac1e2da3d272b1d2041f95de9f3 Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Wed, 20 Nov 2013 10:07:39 -0500
Subject: [PATCH] AC-696 Removed restriction on reassigning a credential to
 another user/team.

---
 awx/main/access.py         | 8 --------
 awx/main/tests/projects.py | 8 ++++----
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 46f6202f60..5af04b4b2c 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -524,14 +524,6 @@ class CredentialAccess(BaseAccess):
         return False
 
     def can_change(self, obj, data):
-        # Prevent moving a credential to a different user.
-        user_pk = get_pk_from_dict(data, 'user')
-        if obj and user_pk and obj.user and obj.user.pk != user_pk:
-            raise PermissionDenied('Unable to change user on a credential')
-        # Prevent moving a credential to a different team.
-        team_pk = get_pk_from_dict(data, 'team')
-        if obj and team_pk and obj.team and obj.team.pk != team_pk:
-            raise PermissionDenied('Unable to change team on a credential')
         if self.user.is_superuser:
             return True
         if self.user == obj.created_by:
diff --git a/awx/main/tests/projects.py b/awx/main/tests/projects.py
index a833fffeae..44c97859ae 100644
--- a/awx/main/tests/projects.py
+++ b/awx/main/tests/projects.py
@@ -533,10 +533,10 @@ class ProjectsTest(BaseTest):
         self.put(edit_creds1, data=d_cred_user, expect=401, auth=self.get_invalid_credentials())
         self.put(edit_creds1, data=d_cred_user, expect=200, auth=self.get_super_credentials())
         self.put(edit_creds1, data=d_cred_user, expect=200, auth=self.get_normal_credentials())
-        # editing a credential to edit the user record is not legal, this is a test of the .validate
-        # method on the serializer to allow 'write once' fields
-        self.put(edit_creds1, data=d_cred_user2, expect=403, auth=self.get_normal_credentials())
-        cred_put_u = self.put(edit_creds1, data=d_cred_user, expect=200, auth=self.get_other_credentials())
+
+        # We now allow credential to be reassigned (with the right permissions).
+        cred_put_u = self.put(edit_creds1, data=d_cred_user2, expect=200, auth=self.get_normal_credentials())
+        self.put(edit_creds1, data=d_cred_user, expect=403, auth=self.get_other_credentials())
 
         self.put(edit_creds2, data=d_cred_team, expect=401)
         self.put(edit_creds2, data=d_cred_team, expect=401, auth=self.get_invalid_credentials())