From 8b67f1d1c6d898a823ce2652b9cbca290f2b5e81 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 18 Apr 2016 11:27:22 -0400
Subject: [PATCH] Removed team<->org role cycle

---
 awx/main/migrations/0008_v300_rbac_changes.py |  4 ++--
 awx/main/models/organization.py               |  3 +--
 awx/main/tests/functional/test_teams.py       | 10 ++++++++++
 3 files changed, 13 insertions(+), 4 deletions(-)
 create mode 100644 awx/main/tests/functional/test_teams.py

diff --git a/awx/main/migrations/0008_v300_rbac_changes.py b/awx/main/migrations/0008_v300_rbac_changes.py
index 52c8bcfc3c..cb6a653890 100644
--- a/awx/main/migrations/0008_v300_rbac_changes.py
+++ b/awx/main/migrations/0008_v300_rbac_changes.py
@@ -238,7 +238,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='team',
             name='member_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'A member of this team', parent_role=b'admin_role', to='main.Role', role_name=b'Team Member', null=b'True'),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'A member of this team', to='main.Role', role_name=b'Team Member', null=b'True'),
         ),
 
         migrations.AddField(
@@ -294,7 +294,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='team',
             name='read_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'Can view this team', parent_role=[b'auditor_role', b'member_role'], to='main.Role', role_name=b'Read', null=b'True'),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'Can view this team', parent_role=[b'admin_role', b'auditor_role', b'member_role'], to='main.Role', role_name=b'Read', null=b'True'),
         ),
         migrations.AlterField(
             model_name='credential',
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index 9ef93e0b98..571f9117ab 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -122,12 +122,11 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
     member_role = ImplicitRoleField(
         role_name='Team Member',
         role_description='A member of this team',
-        parent_role='admin_role',
     )
     read_role = ImplicitRoleField(
         role_name='Read',
         role_description='Can view this team',
-        parent_role=['auditor_role', 'member_role'],
+        parent_role=['admin_role', 'auditor_role', 'member_role'],
     )
 
     def get_absolute_url(self):
diff --git a/awx/main/tests/functional/test_teams.py b/awx/main/tests/functional/test_teams.py
new file mode 100644
index 0000000000..f1037f0462
--- /dev/null
+++ b/awx/main/tests/functional/test_teams.py
@@ -0,0 +1,10 @@
+import pytest
+
+
+@pytest.mark.django_db()
+def test_admin_not_member(team):
+    "Test to ensure we don't add admin_role as a parent to team.member_role, as "
+    "this creates a cycle with organization administration, which we've decided "
+    "to remove support for"
+
+    assert team.admin_role.is_ancestor_of(team.member_role) is False