Loosen up team EE restrictions (#15384)

* Try to loosen up team EE restrictions

* Fix missed permission case of nulling EE org

awx/main/access.py

@@ -1400,7 +1400,9 @@ class ExecutionEnvironmentAccess(BaseAccess):
 
     def filtered_queryset(self):
         return ExecutionEnvironment.objects.filter(
-            Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role')) | Q(organization__isnull=True)
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'read_role'))
+            | Q(organization__isnull=True)
+            | Q(id__in=ExecutionEnvironment.access_ids_qs(self.user, 'change'))
         ).distinct()
 
     @check_superuser
@@ -1419,7 +1421,13 @@ class ExecutionEnvironmentAccess(BaseAccess):
         else:
             if self.user not in obj.organization.execution_environment_admin_role:
                 raise PermissionDenied
-        return self.check_related('organization', Organization, data, obj=obj, role_field='execution_environment_admin_role')
+        if not self.check_related('organization', Organization, data, obj=obj, role_field='execution_environment_admin_role'):
+            return False
+        # Special case that check_related does not catch, org users can not remove the organization from the EE
+        if data and ('organization' in data or 'organization_id' in data):
+            if (not data.get('organization')) and (not data.get('organization_id')):
+                return False
+        return True
 
     def can_delete(self, obj):
         if obj.managed: