Made it so the credential organization field can't be changed

This makes it so the credential organizaiton field can't be changed
through the API (unless the user is a super user). This brings us into
alignment with the original intent.

awx/main/access.py

@@ -654,23 +654,14 @@ class CredentialAccess(BaseAccess):
         if not obj:
             return False
 
-        # Check access to organizations
-        organization_pk = get_pk_from_dict(data, 'organization')
-        if data and 'organization' in data and organization_pk != getattr(obj, 'organization_id', None):
-            if organization_pk:
-                # admin permission to destination organization is mandatory
-                new_organization_obj = get_object_or_400(Organization, pk=organization_pk)
-                if self.user not in new_organization_obj.admin_role:
-                    return False
-            # admin permission to existing organization is also mandatory
-            if obj.organization:
-                if self.user not in obj.organization.admin_role:
-                    return False
-
-        if obj.organization:
-            if self.user in obj.organization.admin_role:
-                return True
+        # Cannot change the organization for a credential after it's been created
+        if 'organization' in data:
+            organization_pk = get_pk_from_dict(data, 'organization')
+            if (organization_pk and (not obj.organization or organization_pk != obj.organization.id)) \
+                    or (not organization_pk and obj.organization):
+                return False
 
+        print(self.user in obj.admin_role)
         return self.user in obj.admin_role
 
     def can_delete(self, obj):

awx/main/tests/functional/api/test_credential.py

@@ -312,6 +312,37 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
     assert response.data['count'] == 0
 
 
+@pytest.mark.django_db
+def test_cant_change_organization(patch, credential, organization, org_admin):
+    credential.organization = organization
+    credential.save()
+
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name',
+    }, org_admin)
+    assert response.status_code == 200
+
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name2',
+        'organization': organization.id, # fine for it to be the same
+    }, org_admin)
+    assert response.status_code == 200
+
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name3',
+        'organization': None
+    }, org_admin)
+    assert response.status_code == 403
+
+@pytest.mark.django_db
+def test_cant_add_organization(patch, credential, organization, org_admin):
+    assert credential.organization is None
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name',
+        'organization': organization.id
+    }, org_admin)
+    assert response.status_code == 403
+
 
 #
 # Openstack Credentials

awx/main/tests/functional/conftest.py

@@ -160,7 +160,7 @@ def organization(instance):
 
 @pytest.fixture
 def credential():
-    return Credential.objects.create(kind='aws', name='test-cred')
+    return Credential.objects.create(kind='aws', name='test-cred', username='something', password='secret')
 
 @pytest.fixture
 def machine_credential():
@@ -168,7 +168,7 @@ def machine_credential():
 
 @pytest.fixture
 def org_credential(organization):
-    return Credential.objects.create(kind='aws', name='test-cred', organization=organization)
+    return Credential.objects.create(kind='aws', name='test-cred', username='something', password='secret', organization=organization)
 
 @pytest.fixture
 def inventory(organization):