AC-696 Removed restriction on reassigning a credential to another user/team.

awx/main/access.py

@@ -524,14 +524,6 @@ class CredentialAccess(BaseAccess):
         return False
 
     def can_change(self, obj, data):
-        # Prevent moving a credential to a different user.
-        user_pk = get_pk_from_dict(data, 'user')
-        if obj and user_pk and obj.user and obj.user.pk != user_pk:
-            raise PermissionDenied('Unable to change user on a credential')
-        # Prevent moving a credential to a different team.
-        team_pk = get_pk_from_dict(data, 'team')
-        if obj and team_pk and obj.team and obj.team.pk != team_pk:
-            raise PermissionDenied('Unable to change team on a credential')
         if self.user.is_superuser:
             return True
         if self.user == obj.created_by:

awx/main/tests/projects.py

@@ -533,10 +533,10 @@ class ProjectsTest(BaseTest):
         self.put(edit_creds1, data=d_cred_user, expect=401, auth=self.get_invalid_credentials())
         self.put(edit_creds1, data=d_cred_user, expect=200, auth=self.get_super_credentials())
         self.put(edit_creds1, data=d_cred_user, expect=200, auth=self.get_normal_credentials())
-        # editing a credential to edit the user record is not legal, this is a test of the .validate
+
-        # method on the serializer to allow 'write once' fields
+        # We now allow credential to be reassigned (with the right permissions).
-        self.put(edit_creds1, data=d_cred_user2, expect=403, auth=self.get_normal_credentials())
+        cred_put_u = self.put(edit_creds1, data=d_cred_user2, expect=200, auth=self.get_normal_credentials())
-        cred_put_u = self.put(edit_creds1, data=d_cred_user, expect=200, auth=self.get_other_credentials())
+        self.put(edit_creds1, data=d_cred_user, expect=403, auth=self.get_other_credentials())
 
         self.put(edit_creds2, data=d_cred_team, expect=401)
         self.put(edit_creds2, data=d_cred_team, expect=401, auth=self.get_invalid_credentials())