From 1e4b44e54f8413df2efa1916aa9c1ee36a4f22b7 Mon Sep 17 00:00:00 2001
From: Seth Foster <fosterbseth@gmail.com>
Date: Mon, 12 Apr 2021 14:15:21 -0400
Subject: [PATCH] Prevent ee from being assigned to a new organization

- ee organization can be changed to null (less restrictive)
- if organization is null, cannot be assigned to org (more restrictive)
- if org is assigned, it cannot be set to a different org
---
 awx/api/serializers.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 93793a90f2..cae3724ca3 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1412,6 +1412,14 @@ class ExecutionEnvironmentSerializer(BaseSerializer):
             res['credential'] = self.reverse('api:credential_detail', kwargs={'pk': obj.credential.pk})
         return res
 
+    def validate(self, attrs):
+        # prevent changing organization of ee. Unsetting (change to null) is allowed
+        if self.instance:
+            org = attrs.get('organization', None)
+            if org and org.pk != self.instance.organization_id:
+                raise serializers.ValidationError({"organization": _("Cannot change the organization of an execution environment")})
+        return super(ExecutionEnvironmentSerializer, self).validate(attrs)
+
 
 class ProjectSerializer(UnifiedJobTemplateSerializer, ProjectOptionsSerializer):