From e07a06e990826942cb5960bff57d415fefa8fa79 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 22 Jun 2016 11:59:40 -0400
Subject: [PATCH 1/5] Teams cannot be parents of Organization roles

---
 awx/api/views.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/awx/api/views.py b/awx/api/views.py
index 9db03cfe55..b490d406f4 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -875,6 +875,13 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
         if not sub_id:
             data = dict(msg="Role 'id' field is missing.")
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
+        role = Role.objects.get(pk=sub_id)
+        content_type = ContentType.objects.get_for_model(Organization)
+        if role.content_type == content_type:
+            data = dict(msg="You cannot assign Organization roles and child roles for Teams.")
+            return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
         return super(TeamRolesList, self).post(request, *args, **kwargs)
 
 class TeamObjectRolesList(SubListAPIView):
@@ -3715,6 +3722,11 @@ class RoleTeamsList(ListAPIView):
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
         role = Role.objects.get(pk=self.kwargs['pk'])
+        content_type = ContentType.objects.get_for_model(Organization)
+        if role.content_type == content_type:
+            data = dict(msg="You cannot assign Organization roles and child roles for Teams.")
+            return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
         team = Team.objects.get(pk=sub_id)
         action = 'attach'
         if request.data.get('disassociate', None):

From 54e618db2ef5fd226c5514dd15d8f792fd0d8320 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 22 Jun 2016 12:00:32 -0400
Subject: [PATCH 2/5] test org role as child for team 400s

---
 awx/main/tests/unit/api/test_views.py | 30 ++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py
index 0200518078..143bdb4efa 100644
--- a/awx/main/tests/unit/api/test_views.py
+++ b/awx/main/tests/unit/api/test_views.py
@@ -1,9 +1,17 @@
+import mock
 import pytest
 
+from rest_framework.test import APIRequestFactory
+from rest_framework.test import force_authenticate
+
 from awx.api.views import (
     ApiV1RootView,
+    TeamRolesList,
 )
 
+from awx.main.models import (
+    User,
+)
 
 @pytest.fixture
 def mock_response_new(mocker):
@@ -11,7 +19,6 @@ def mock_response_new(mocker):
     m.return_value = m
     return m
 
-
 class TestApiV1RootView:
     def test_get_endpoints(self, mocker, mock_response_new):
         endpoints = [
@@ -52,3 +59,24 @@ class TestApiV1RootView:
         for endpoint in endpoints:
             assert endpoint in data_arg
 
+@pytest.mark.parametrize("url", ["/team/1/roles", "/role/1/teams"])
+def test_team_roles_list_post_org_roles(url):
+    with mock.patch('awx.api.views.Role.objects.get', create=True) as role_get, \
+            mock.patch('awx.api.views.ContentType.objects.get_for_model', create=True) as ct_get:
+
+        role_mock = mock.MagicMock()
+        role_mock.content_type = 1
+        role_get.return_value = role_mock
+        ct_get.return_value = 1
+
+        factory = APIRequestFactory()
+        view = TeamRolesList.as_view()
+
+        request = factory.post(url, {'id':1}, format="json")
+        force_authenticate(request, User(username="root", is_superuser=True))
+
+        response = view(request)
+        response.render()
+
+        assert response.status_code == 400
+        assert 'cannot assign' in response.content

From 67e516f2638d3ea51d306e0f8c3bd3e0f8255a56 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 22 Jun 2016 12:14:11 -0400
Subject: [PATCH 3/5] update language in error message

---
 awx/api/views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index b490d406f4..e48d6e2642 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -879,7 +879,7 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
         role = Role.objects.get(pk=sub_id)
         content_type = ContentType.objects.get_for_model(Organization)
         if role.content_type == content_type:
-            data = dict(msg="You cannot assign Organization roles and child roles for Teams.")
+            data = dict(msg="You cannot assign an Organization role as a child role for a Team.")
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
         return super(TeamRolesList, self).post(request, *args, **kwargs)
@@ -3724,7 +3724,7 @@ class RoleTeamsList(ListAPIView):
         role = Role.objects.get(pk=self.kwargs['pk'])
         content_type = ContentType.objects.get_for_model(Organization)
         if role.content_type == content_type:
-            data = dict(msg="You cannot assign Organization roles and child roles for Teams.")
+            data = dict(msg="You cannot assign an Organization role as a child role for a Team.")
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
         team = Team.objects.get(pk=sub_id)

From 1d329856f9fa7f72d3e8245ec7aa95fc0a454a1f Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 22 Jun 2016 15:36:26 -0400
Subject: [PATCH 4/5] use MagicMock for content_type

---
 awx/main/tests/unit/api/test_views.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py
index 143bdb4efa..32273201aa 100644
--- a/awx/main/tests/unit/api/test_views.py
+++ b/awx/main/tests/unit/api/test_views.py
@@ -4,6 +4,8 @@ import pytest
 from rest_framework.test import APIRequestFactory
 from rest_framework.test import force_authenticate
 
+from django.contrib.contenttypes.models import ContentType
+
 from awx.api.views import (
     ApiV1RootView,
     TeamRolesList,
@@ -11,6 +13,7 @@ from awx.api.views import (
 
 from awx.main.models import (
     User,
+    Role,
 )
 
 @pytest.fixture
@@ -64,10 +67,11 @@ def test_team_roles_list_post_org_roles(url):
     with mock.patch('awx.api.views.Role.objects.get', create=True) as role_get, \
             mock.patch('awx.api.views.ContentType.objects.get_for_model', create=True) as ct_get:
 
-        role_mock = mock.MagicMock()
-        role_mock.content_type = 1
+        role_mock = mock.MagicMock(spec=Role)
+        content_type_mock = mock.MagicMock(spec=ContentType)
+        role_mock.content_type = content_type_mock
         role_get.return_value = role_mock
-        ct_get.return_value = 1
+        ct_get.return_value = content_type_mock
 
         factory = APIRequestFactory()
         view = TeamRolesList.as_view()

From 329e81b40e71ce89ccfbe674a95b15e7cbbe8063 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 22 Jun 2016 15:39:40 -0400
Subject: [PATCH 5/5] no need for create=True

---
 awx/main/tests/unit/api/test_views.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py
index 32273201aa..27442286c6 100644
--- a/awx/main/tests/unit/api/test_views.py
+++ b/awx/main/tests/unit/api/test_views.py
@@ -64,8 +64,8 @@ class TestApiV1RootView:
 
 @pytest.mark.parametrize("url", ["/team/1/roles", "/role/1/teams"])
 def test_team_roles_list_post_org_roles(url):
-    with mock.patch('awx.api.views.Role.objects.get', create=True) as role_get, \
-            mock.patch('awx.api.views.ContentType.objects.get_for_model', create=True) as ct_get:
+    with mock.patch('awx.api.views.Role.objects.get') as role_get, \
+            mock.patch('awx.api.views.ContentType.objects.get_for_model') as ct_get:
 
         role_mock = mock.MagicMock(spec=Role)
         content_type_mock = mock.MagicMock(spec=ContentType)