From 6e1e7d8426d9b460dac73068cc0016157e682114 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 4 Apr 2018 14:35:28 -0400
Subject: [PATCH] remove shortcut for custom scripts copy

---
 awx/main/access.py                            |  2 +-
 .../tests/functional/test_rbac_inventory.py   | 27 ++++++++++++++-----
 2 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 23f182177d..0855a6c146 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -395,7 +395,7 @@ class BaseAccess(object):
             elif display_method == 'delete' and not isinstance(obj, (User, UnifiedJob, CustomInventoryScript)):
                 user_capabilities['delete'] = user_capabilities['edit']
                 continue
-            elif display_method == 'copy' and isinstance(obj, (Group, Host, CustomInventoryScript)):
+            elif display_method == 'copy' and isinstance(obj, (Group, Host)):
                 user_capabilities['copy'] = user_capabilities['edit']
                 continue
 
diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py
index 3258b9d0ae..508b2e0773 100644
--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@@ -32,25 +32,40 @@ def test_custom_inv_script_access(organization, user):
     assert ou in custom_inv.admin_role
 
 
-@pytest.mark.django_db
-def test_modify_inv_script_foreign_org_admin(org_admin, organization, organization_factory, project):
-    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test',
-                                                      organization=organization)
+@pytest.fixture
+def custom_inv(organization):
+    return CustomInventoryScript.objects.create(
+        name='test', script='test', description='test', organization=organization)
 
+
+@pytest.mark.django_db
+def test_modify_inv_script_foreign_org_admin(
+        org_admin, organization, organization_factory, project, custom_inv):
     other_org = organization_factory('not-my-org').organization
     access = CustomInventoryScriptAccess(org_admin)
     assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})
 
 
 @pytest.mark.django_db
-def test_org_member_inventory_script_permissions(org_member, organization):
-    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', organization=organization)
+def test_org_member_inventory_script_permissions(org_member, organization, custom_inv):
     access = CustomInventoryScriptAccess(org_member)
     assert access.can_read(custom_inv)
     assert not access.can_delete(custom_inv)
     assert not access.can_change(custom_inv, {'name': 'ed-test'})
 
 
+@pytest.mark.django_db
+def test_copy_only_admin(org_member, organization, custom_inv):
+    custom_inv.admin_role.members.add(org_member)
+    access = CustomInventoryScriptAccess(org_member)
+    assert not access.can_copy(custom_inv)
+    assert access.get_user_capabilities(custom_inv, method_list=['edit', 'delete', 'copy']) == {
+        'edit': True,
+        'delete': True,
+        'copy': False
+    }
+
+
 @pytest.mark.django_db
 @pytest.mark.parametrize("role", ["admin_role", "inventory_admin_role"])
 def test_access_admin(role, organization, inventory, user):