Allow orphaned user to be added to org

Fixed bug where an org admin was not able to add an orphaned user to the org, in the case where the orphan had an ancestor role that matched one of the roles for of the org admin. scenario to fix -- sue is member of cred1, where cred1 is part of org1. org1 admin cannot add sue to org1, because the cred1 role for sue has an ancestor to org1 role. The org1 admin cannot change or attach sue to org1. tower issue #4198 and #4197
2026-01-23 23:41:23 -03:30 · 2020-04-02 14:22:10 -04:00 · 2020-04-02 14:22:10 -04:00 · 843c22c6b1
commit 843c22c6b1
parent 99384b1db9
2 changed files with 9 additions and 4 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -11,7 +11,6 @@ from functools import reduce
 from django.conf import settings
 from django.db.models import Q, Prefetch
 from django.contrib.auth.models import User
-from django.contrib.contenttypes.models import ContentType
 from django.utils.translation import ugettext_lazy as _
 from django.core.exceptions import ObjectDoesNotExist

@ -650,8 +649,8 @@ class UserAccess(BaseAccess):
                # in these cases only superusers can modify orphan users
                return False
            return not obj.roles.all().exclude(
-                content_type=ContentType.objects.get_for_model(User)
-            ).filter(ancestors__in=self.user.roles.all()).exists()
+                ancestors__in=self.user.roles.all()
+            ).exists()
        else:
            return self.is_all_org_admin(obj)

--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@ -60,6 +60,8 @@ def test_org_user_role_attach(user, organization, inventory):
    '''
    admin = user('admin')
    nonmember = user('nonmember')
+    other_org = Organization.objects.create(name="other_org")
+    other_org.member_role.members.add(nonmember)
    inventory.admin_role.members.add(nonmember)

    organization.admin_role.members.add(admin)
@ -186,13 +188,17 @@ def test_need_all_orgs_to_admin_user(user):

 # Orphaned user can be added to member role, only in special cases
@pytest.mark.django_db
-def test_orphaned_user_allowed(org_admin, rando, organization):
+def test_orphaned_user_allowed(org_admin, rando, organization, org_credential):
    '''
    We still allow adoption of orphaned* users by assigning them to
    organization member role, but only in the situation where the
    org admin already posesses indirect access to all of the user's roles
    *orphaned means user is not a member of any organization
    '''
+    # give a descendent role to rando, to trigger the conditional
+    # where all ancestor roles of rando should be in the set of
+    # org_admin roles.
+    org_credential.admin_role.members.add(rando)
    role_access = RoleAccess(org_admin)
    org_access = OrganizationAccess(org_admin)
    assert role_access.can_attach(organization.member_role, rando, 'members', None)