From ec1e94376c8e86e0efc23bdda06867a69f5c0001 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 2 May 2018 14:53:05 -0400
Subject: [PATCH] correctly check credential permission on WFJT copy

---
 awx/api/generics.py |  3 +++
 awx/api/views.py    | 10 ++++++++--
 awx/main/access.py  |  2 +-
 awx/main/tasks.py   |  3 +++
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/awx/api/generics.py b/awx/api/generics.py
index eae3fe62f8..c62f3cc6dd 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -878,6 +878,9 @@ class CopyAPIView(GenericAPIView):
                     obj, field.name, field_val
                 )
         new_obj = model.objects.create(**create_kwargs)
+        logger.debug(six.text_type('Deep copy: Created new object {}({})').format(
+            new_obj, model
+        ))
         # Need to save separatedly because Djang-crum get_current_user would
         # not work properly in non-request-response-cycle context.
         new_obj.created_by = creater
diff --git a/awx/api/views.py b/awx/api/views.py
index 5e080ccea9..07b7576294 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3702,12 +3702,18 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, CopyAPIView):
                 item = getattr(obj, field_name, None)
                 if item is None:
                     continue
-                if field_name in ['inventory']:
+                elif field_name in ['inventory']:
                     if not user.can_access(item.__class__, 'use', item):
                         setattr(obj, field_name, None)
-                if field_name in ['unified_job_template']:
+                elif field_name in ['unified_job_template']:
                     if not user.can_access(item.__class__, 'start', item, validate_license=False):
                         setattr(obj, field_name, None)
+                elif field_name in ['credentials']:
+                    for cred in item.all():
+                        if not user.can_access(cred.__class__, 'use', cred):
+                            logger.debug(six.text_type(
+                                'Deep copy: removing {} from relationship due to permissions').format(cred))
+                            item.remove(cred.pk)
             obj.save()
 
 
diff --git a/awx/main/access.py b/awx/main/access.py
index e2e7d0c3d4..ce3ed5c9f5 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1821,7 +1821,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
                     missing_inventories.append(node.inventory.name)
                 for cred in node.credentials.all():
                     if self.user not in cred.use_role:
-                        missing_credentials.append(node.credential.name)
+                        missing_credentials.append(cred.name)
                 ujt = node.unified_job_template
                 if ujt and not self.user.can_access(UnifiedJobTemplate, 'start', ujt, validate_license=False):
                     missing_ujt.append(ujt.name)
diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index aca866ccd0..e260077a61 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -2318,6 +2318,9 @@ def _reconstruct_relationships(copy_mapping):
                 setattr(new_obj, field_name, related_obj)
             elif field.many_to_many:
                 for related_obj in getattr(old_obj, field_name).all():
+                    logger.debug(six.text_type('Deep copy: Adding {} to {}({}).{} relationship').format(
+                        related_obj, new_obj, model, field_name
+                    ))
                     getattr(new_obj, field_name).add(copy_mapping.get(related_obj, related_obj))
         new_obj.save()