From 74c6c350a1d5207fbbc4d0d71eb9dbc7721d27e8 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 4 Jun 2018 14:25:27 -0400
Subject: [PATCH] show org-admins all teams if ALL USERS setting enabled

---
 awx/main/access.py                          |  3 +++
 awx/main/conf.py                            |  3 ++-
 awx/main/tests/functional/test_rbac_team.py | 14 +++++++++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index ed2886f4b8..9ff9973269 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1114,6 +1114,9 @@ class TeamAccess(BaseAccess):
     select_related = ('created_by', 'modified_by', 'organization',)
 
     def filtered_queryset(self):
+        if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and \
+                (self.user.admin_of_organizations.exists() or self.user.auditor_of_organizations.exists()):
+            return self.model.objects.all()
         return self.model.accessible_objects(self.user, 'read_role')
 
     @check_superuser
diff --git a/awx/main/conf.py b/awx/main/conf.py
index 80774e09b0..c3a9c87173 100644
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -38,7 +38,8 @@ register(
     'ORG_ADMINS_CAN_SEE_ALL_USERS',
     field_class=fields.BooleanField,
     label=_('All Users Visible to Organization Admins'),
-    help_text=_('Controls whether any Organization Admin can view all users, even those not associated with their Organization.'),
+    help_text=_('Controls whether any Organization Admin can view all users and teams, '
+                'even those not associated with their Organization.'),
     category=_('System'),
     category_slug='system',
 )
diff --git a/awx/main/tests/functional/test_rbac_team.py b/awx/main/tests/functional/test_rbac_team.py
index 5e7cf4ad85..bb75c4f0cc 100644
--- a/awx/main/tests/functional/test_rbac_team.py
+++ b/awx/main/tests/functional/test_rbac_team.py
@@ -1,7 +1,8 @@
 import pytest
+import mock
 
 from awx.main.access import TeamAccess
-from awx.main.models import Project
+from awx.main.models import Project, Organization, Team
 
 
 @pytest.mark.django_db
@@ -116,3 +117,14 @@ def test_org_admin_team_access(organization, team, user, project):
     team.member_role.children.add(project.use_role)
 
     assert len(Project.accessible_objects(u, 'use_role')) == 1
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('enabled', [True, False])
+def test_org_admin_view_all_teams(org_admin, enabled):
+    access = TeamAccess(org_admin)
+    other_org = Organization.objects.create(name='other-org')
+    other_team = Team.objects.create(name='other-team', organization=other_org)
+    with mock.patch('awx.main.access.settings') as settings_mock:
+        settings_mock.ORG_ADMINS_CAN_SEE_ALL_USERS = enabled
+        assert access.can_read(other_team) is enabled