From 4b5e131362a4392617cd3d1b90ff642a6cecedec Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 5 Dec 2016 15:17:34 -0500
Subject: [PATCH 1/2] allow org admins to share credentials between orgs

---
 awx/main/access.py | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 7f28e0a7ce..55b0185e53 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -837,15 +837,7 @@ class CredentialAccess(BaseAccess):
     def can_change(self, obj, data):
         if not obj:
             return False
-
-        # Cannot change the organization for a credential after it's been created
-        if data and 'organization' in data:
-            organization_pk = get_pk_from_dict(data, 'organization')
-            if (organization_pk and (not obj.organization or organization_pk != obj.organization.id)) \
-                    or (not organization_pk and obj.organization):
-                return False
-
-        return self.user in obj.admin_role
+        return self.user in obj.admin_role and self.check_related('organization', Organization, data, obj=obj)
 
     def can_delete(self, obj):
         # Unassociated credentials may be marked deleted by anyone, though we

From 81cb57be4f50c647b93be27440d25690937c0513 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 5 Dec 2016 16:17:58 -0500
Subject: [PATCH 2/2] remove tests pertaining to credential org related field

---
 .../tests/functional/api/test_credential.py   | 33 -------------------
 1 file changed, 33 deletions(-)

diff --git a/awx/main/tests/functional/api/test_credential.py b/awx/main/tests/functional/api/test_credential.py
index bd6cd25841..8f596cdac9 100644
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@@ -339,39 +339,6 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
     assert response.data['count'] == 0
 
 
-@pytest.mark.django_db
-def test_cant_change_organization(patch, credential, organization, org_admin):
-    credential.organization = organization
-    credential.save()
-
-    response = patch(reverse('api:credential_detail', args=(credential.id,)), {
-        'name': 'Some new name',
-    }, org_admin)
-    assert response.status_code == 200
-
-    response = patch(reverse('api:credential_detail', args=(credential.id,)), {
-        'name': 'Some new name2',
-        'organization': organization.id, # fine for it to be the same
-    }, org_admin)
-    assert response.status_code == 200
-
-    response = patch(reverse('api:credential_detail', args=(credential.id,)), {
-        'name': 'Some new name3',
-        'organization': None
-    }, org_admin)
-    assert response.status_code == 403
-
-
-@pytest.mark.django_db
-def test_cant_add_organization(patch, credential, organization, org_admin):
-    assert credential.organization is None
-    response = patch(reverse('api:credential_detail', args=(credential.id,)), {
-        'name': 'Some new name',
-        'organization': organization.id
-    }, org_admin)
-    assert response.status_code == 403
-
-
 #
 # Openstack Credentials
 #