Adjust the access logic for settings.MANAGE_ORGANIZATION_AUTH = False

so that changing the membership of Organizations and Teams are disallowed unless you are a superuser, but granting resource privileges is still permitted.
2026-05-08 09:57:35 -02:30 · 2019-04-17 15:37:02 -04:00
parent fbc7d1a9f2
commit 70b0679a0c
2 changed files with 28 additions and 18 deletions
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -77,19 +77,27 @@ def test_manage_org_auth_setting(ext_auth, superuser, expect, organization, rand
        assert [
            # use via /api/v2/users/N/roles/
            UserAccess(u).can_attach(rando, organization.admin_role, 'roles'),
+            UserAccess(u).can_attach(rando, organization.member_role, 'roles'),
            UserAccess(u).can_attach(rando, team.admin_role, 'roles'),
+            UserAccess(u).can_attach(rando, team.member_role, 'roles'),
            # use via /api/v2/roles/N/users/
            RoleAccess(u).can_attach(organization.admin_role, rando, 'members'),
-            RoleAccess(u).can_attach(team.admin_role, rando, 'members')
-        ] == [expect for i in range(4)]
+            RoleAccess(u).can_attach(organization.member_role, rando, 'members'),
+            RoleAccess(u).can_attach(team.admin_role, rando, 'members'),
+            RoleAccess(u).can_attach(team.member_role, rando, 'members'),
+        ] == [expect for i in range(8)]
        assert [
            # use via /api/v2/users/N/roles/
            UserAccess(u).can_unattach(rando, organization.admin_role, 'roles'),
+            UserAccess(u).can_unattach(rando, organization.member_role, 'roles'),
            UserAccess(u).can_unattach(rando, team.admin_role, 'roles'),
+            UserAccess(u).can_unattach(rando, team.member_role, 'roles'),
            # use via /api/v2/roles/N/users/
            RoleAccess(u).can_unattach(organization.admin_role, rando, 'members'),
-            RoleAccess(u).can_unattach(team.admin_role, rando, 'members')
-        ] == [expect for i in range(4)]
+            RoleAccess(u).can_unattach(organization.member_role, rando, 'members'),
+            RoleAccess(u).can_unattach(team.admin_role, rando, 'members'),
+            RoleAccess(u).can_unattach(team.member_role, rando, 'members'),
+        ] == [expect for i in range(8)]


@pytest.mark.django_db