Merge pull request #9874 from fosterseth/fix_a9769_ee_rbac_change_org

Prevent execution environment from being assigned to a new organization SUMMARY related #9769 ee organization can be changed to null (less restrictive) if organization is null, cannot be assigned to org (more restrictive) if org is assigned, it cannot be set to a different org ISSUE TYPE Bugfix Pull Request COMPONENT NAME API AWX VERSION awx: 19.0.0 Reviewed-by: Kersom <None> Reviewed-by: Chris Meyers <None> Reviewed-by: Jeff Bradberry <None> Reviewed-by: Seth Foster <None>
2026-01-12 18:40:01 -03:30 · 2021-04-13 15:24:44 +00:00 · 2021-04-13 15:24:44 +00:00 · 98bb296c6a
commit 98bb296c6a
parent e67923382a 1e4b44e54f
1 changed files with 8 additions and 0 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -1412,6 +1412,14 @@ class ExecutionEnvironmentSerializer(BaseSerializer):
            res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential.pk})
        return res

+    def validate(self, attrs):
+        # prevent changing organization of ee. Unsetting (change to null) is allowed
+        if self.instance:
+            org = attrs.get('organization', None)
+            if org and org.pk != self.instance.organization_id:
+                raise serializers.ValidationError({"organization": _("Cannot change the organization of an execution environment")})
+        return super(ExecutionEnvironmentSerializer, self).validate(attrs)
+

 class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):