Fixing Team and Credential access issues

awx/main/migrations/0025_v300_update_rbac_parents.py

@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import awx.main.fields
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('main', '0024_v300_jobtemplate_allow_simul'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='credential',
+            name='use_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'organization.admin_role', b'owner_role'], to='main.Role', null=b'True'),
+        ),
+        migrations.AlterField(
+            model_name='team',
+            name='member_role',
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=b'admin_role', to='main.Role', null=b'True'),
+        ),
+    ]

awx/main/models/organization.py

@@ -104,7 +104,9 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
     admin_role = ImplicitRoleField(
         parent_role='organization.admin_role',
     )
-    member_role = ImplicitRoleField()
+    member_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
     read_role = ImplicitRoleField(
         parent_role=['admin_role', 'organization.auditor_role', 'member_role'],
     )

awx/main/tests/functional/test_rbac_team.py

@@ -90,3 +90,10 @@ def test_team_accessible_objects(team, user, project):
     team.member_role.members.add(u)
     assert len(Project.accessible_objects(u, 'read_role')) == 1
 
+@pytest.mark.django_db
+def test_team_admin_member_access(team, user, project):
+    u = user('team_admin', False)
+    team.member_role.children.add(project.use_role)
+    team.admin_role.members.add(u)
+
+    assert len(Project.accessible_objects(u, 'use_role')) == 1