From 819b318fe560625b299f31b1577bf75575d7b623 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 2 Feb 2018 17:25:33 +0000
Subject: [PATCH] Add Org Execute

---
 awx/main/access.py                              |  4 ++--
 .../migrations/0020_declare_new_rbac_roles.py   | 17 ++++++++++++++++-
 awx/main/models/jobs.py                         |  2 +-
 awx/main/models/organization.py                 |  5 ++++-
 awx/main/models/workflow.py                     |  3 ++-
 .../tests/functional/test_rbac_notifications.py |  2 ++
 awx/main/tests/unit/test_access.py              |  1 +
 7 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 4d91943fec..1bc1d90f5f 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1792,8 +1792,8 @@ class WorkflowJobTemplateAccess(BaseAccess):
         if self.user.is_superuser:
             return True
 
-        return (self.check_related('organization', Organization, data, role_field='workflow_admin_field', obj=obj)
-                and self.user in obj.admin_role)
+        return (self.check_related('organization', Organization, data, role_field='workflow_admin_field', obj=obj) and
+                self.user in obj.admin_role)
 
     def can_delete(self, obj):
         is_delete_allowed = self.user.is_superuser or self.user in obj.admin_role
diff --git a/awx/main/migrations/0020_declare_new_rbac_roles.py b/awx/main/migrations/0020_declare_new_rbac_roles.py
index da151393ab..9b489b7b70 100644
--- a/awx/main/migrations/0020_declare_new_rbac_roles.py
+++ b/awx/main/migrations/0020_declare_new_rbac_roles.py
@@ -15,6 +15,11 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.AddField(
+            model_name='organization',
+            name='execute_role',
+            field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=b'admin_role', related_name='+', to='main.Role'),
+        ),
         migrations.AddField(
             model_name='organization',
             name='credential_admin_role',
@@ -60,14 +65,24 @@ class Migration(migrations.Migration):
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'singleton:system_administrator', b'organization.workflow_admin_role'], related_name='+', to='main.Role'),
         ),
+        migrations.AlterField(
+            model_name='workflowjobtemplate',
+            name='execute_role',
+            field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'organization.execute_role'], related_name='+', to='main.Role'),
+        ),
         migrations.AlterField(
             model_name='jobtemplate',
             name='admin_role',
             field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'project.organization.project_admin_role', b'inventory.organization.inventory_admin_role'], related_name='+', to='main.Role'),
         ),
+        migrations.AlterField(
+            model_name='jobtemplate',
+            name='execute_role',
+            field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'project.organization.execute_role', b'inventory.organization.execute_role'], related_name='+', to='main.Role'),
+        ),
         migrations.AlterField(
             model_name='organization',
             name='member_role',
-            field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'project_admin_role', b'inventory_admin_role', b'workflow_admin_role', b'notification_admin_role'], related_name='+', to='main.Role'),
+            field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'admin_role', b'project_admin_role', b'inventory_admin_role', b'workflow_admin_role', b'notification_admin_role', b'execute_role'], related_name='+', to='main.Role'),
         ),
     ]
diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index 6626e552ae..5efd502a7d 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -273,7 +273,7 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, SurveyJobTemplateMixin, Resour
         parent_role=['project.organization.project_admin_role', 'inventory.organization.inventory_admin_role']
     )
     execute_role = ImplicitRoleField(
-        parent_role=['admin_role'],
+        parent_role=['admin_role', 'project.organization.execute_role', 'inventory.organization.execute_role'],
     )
     read_role = ImplicitRoleField(
         parent_role=['project.organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'],
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index b9a562fd3c..fef640182a 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -43,6 +43,9 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
     admin_role = ImplicitRoleField(
         parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
     )
+    execute_role = ImplicitRoleField(
+        parent_role='admin_role',
+    )
     project_admin_role = ImplicitRoleField(
         parent_role='admin_role',
     )
@@ -62,7 +65,7 @@ class Organization(CommonModel, NotificationFieldsModel, ResourceMixin, CustomVi
         parent_role='singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
     )
     member_role = ImplicitRoleField(
-        parent_role=['admin_role', 'project_admin_role',
+        parent_role=['admin_role', 'execute_role', 'project_admin_role',
                      'inventory_admin_role', 'workflow_admin_role',
                      'notification_admin_role']
     )
diff --git a/awx/main/models/workflow.py b/awx/main/models/workflow.py
index 890a8806c5..5c582683c6 100644
--- a/awx/main/models/workflow.py
+++ b/awx/main/models/workflow.py
@@ -309,7 +309,8 @@ class WorkflowJobTemplate(UnifiedJobTemplate, WorkflowJobOptions, SurveyJobTempl
         'organization.workflow_admin_role'
     ])
     execute_role = ImplicitRoleField(parent_role=[
-        'admin_role'
+        'admin_role',
+        'organization.execute_role',
     ])
     read_role = ImplicitRoleField(parent_role=[
         'singleton:' + ROLE_SINGLETON_SYSTEM_AUDITOR,
diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py
index 41fcbfc19c..18ff3959aa 100644
--- a/awx/main/tests/functional/test_rbac_notifications.py
+++ b/awx/main/tests/functional/test_rbac_notifications.py
@@ -32,12 +32,14 @@ def test_notification_template_get_queryset_orgadmin(notification_template, user
     notification_template.organization.admin_role.members.add(user('admin', False))
     assert access.get_queryset().count() == 1
 
+
 @pytest.mark.django_db
 def test_notification_template_get_queryset_notificationadmin(notification_template, user):
     access = NotificationTemplateAccess(user('admin', False))
     notification_template.organization.notification_admin_role.members.add(user('admin', False))
     assert access.get_queryset().count() == 1
 
+
 @pytest.mark.django_db
 def test_notification_template_get_queryset_org_auditor(notification_template, org_auditor):
     access = NotificationTemplateAccess(org_auditor)
diff --git a/awx/main/tests/unit/test_access.py b/awx/main/tests/unit/test_access.py
index 44231daf59..6b20aaaed9 100644
--- a/awx/main/tests/unit/test_access.py
+++ b/awx/main/tests/unit/test_access.py
@@ -245,6 +245,7 @@ class TestWorkflowAccessMethods:
         organization = Organization(name='test-org')
         workflow.organization = organization
         organization.workflow_admin_role = Role()
+
         def mock_get_object(Class, **kwargs):
             if Class == Organization:
                 return organization