Merge pull request #2739 from AlanCoding/2735_proj_access

Do not allow creating projects as foreign org admin

awx/main/access.py

@@ -711,8 +711,9 @@ class ProjectAccess(BaseAccess):
 
     @check_superuser
     def can_add(self, data):
-        qs = Organization.accessible_objects(self.user, 'admin_role')
+        organization_pk = get_pk_from_dict(data, 'organization')
-        return qs.exists()
+        org = get_object_or_400(Organization, pk=organization_pk)
+        return self.user in org.admin_role
 
     @check_superuser
     def can_change(self, obj, data):

awx/main/tests/functional/test_rbac_project.py

@@ -2,6 +2,7 @@ import pytest
 
 from awx.main.migrations import _rbac as rbac
 from awx.main.models import Role, Permission, Project, Organization, Credential, JobTemplate, Inventory
+from awx.main.access import ProjectAccess
 from django.apps import apps
 from awx.main.migrations import _old_access as old_access
 
@@ -209,3 +210,10 @@ def test_project_explicit_permission(user, team, project, organization):
     rbac.migrate_projects(apps, None)
 
     assert u in project.read_role
+
+@pytest.mark.django_db
+def test_create_project_foreign_org_admin(org_admin, organization, organization_factory):
+    """Org admins can only create projects in their own org."""
+    other_org = organization_factory('not-my-org').organization
+    access = ProjectAccess(org_admin)
+    assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'})