block system auditors from attaching notification templates

awx/main/access.py

@@ -1229,6 +1229,13 @@ class JobTemplateAccess(BaseAccess):
                                  "active_jobs": active_jobs})
         return True
 
+    @check_superuser
+    def can_attach(self, obj, sub_obj, relationship, data, skip_sub_obj_read_check=False):
+        if isinstance(sub_obj, NotificationTemplate):
+            return self.check_related('organization', Organization, {}, obj=sub_obj, mandatory=True)
+        return super(JobTemplateAccess, self).can_attach(
+            obj, sub_obj, relationship, data, skip_sub_obj_read_check=skip_sub_obj_read_check)
+
 
 class JobAccess(BaseAccess):
     '''

awx/main/tests/functional/test_rbac_notifications.py

@@ -2,7 +2,8 @@ import pytest
 
 from awx.main.access import (
     NotificationTemplateAccess,
-    NotificationAccess
+    NotificationAccess,
+    JobTemplateAccess
 )
 
 
@@ -119,6 +120,15 @@ def test_notification_access_system_admin(notification, admin):
     assert access.can_delete(notification)
 
 
+@pytest.mark.django_db
+def test_system_auditor_JT_attach(system_auditor, job_template, notification_template):
+    job_template.admin_role.members.add(system_auditor)
+    access = JobTemplateAccess(system_auditor)
+    assert not access.can_attach(
+        job_template, notification_template, 'notification_templates_success',
+        {'id': notification_template.id})
+
+
 @pytest.mark.django_db
 def test_notification_access_org_admin(notification, org_admin):
     access = NotificationAccess(org_admin)