From 76a7d25131fa35f11294886c9cd81a417f1621ca Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Tue, 16 Dec 2014 13:00:33 -0500
Subject: [PATCH] Force custom inventory script organization to match the
 organization of an inventory source's inventory when creating/updating the
 inventory source

---
 awx/api/serializers.py      |  5 +++++
 awx/main/tests/inventory.py | 13 +++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 2f32657f29..0b13415206 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1020,6 +1020,11 @@ class InventorySourceOptionsSerializer(BaseSerializer):
         if 'source' in attrs and attrs.get('source', '') == 'custom':
             if src is None or src == '':
                 raise serializers.ValidationError("source_script must be provided")
+            try:
+                if src.organization != self.object.inventory.organization:
+                    raise serializers.ValidationError("source_script does not belong to the same organization as the inventory")
+            except Exception, e:
+                raise serializers.ValidationError("source_script doesn't exist")
         return attrs
 
     def validate_source_vars(self, attrs, source):
diff --git a/awx/main/tests/inventory.py b/awx/main/tests/inventory.py
index 657ef0b713..af188167d5 100644
--- a/awx/main/tests/inventory.py
+++ b/awx/main/tests/inventory.py
@@ -1809,3 +1809,16 @@ class InventoryUpdatesTest(BaseTransactionTest):
         with self.current_user(self.super_django_user):
             response = self.put(custom_inv_src, inv_src_opts, expect=200)
         self.check_inventory_source(custom_group.inventory_source)
+
+        # This shouldn't work because we are trying to use a custom script from one organization with
+        # an inventory that belong to a different organization
+        other_org = self.make_organizations(self.super_django_user, 1)[0]
+        other_inv = other_org.inventories.create(name="A Different Org")
+        other_group = other_inv.groups.create(name='A Different Org Group')
+        other_inv_src = reverse('api:inventory_source_detail',
+                                args=(other_group.inventory_source.pk,))
+        other_inv_update = reverse('api:inventory_source_update_view',
+                                   args=(other_group.inventory_source.pk,))
+        other_inv_src_opts = {'source': 'custom', 'source_script': script_data['id']}
+        with self.current_user(self.super_django_user):
+            self.put(other_inv_src, other_inv_src_opts, expect=400)