From 9c5c09169e137799d01d7a138d82b665638bbcb9 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Tue, 16 Aug 2016 15:30:54 -0400
Subject: [PATCH] Made it so the credential organization field can't be changed

This makes it so the credential organizaiton field can't be changed
through the API (unless the user is a super user). This brings us into
alignment with the original intent.
---
 awx/main/access.py                            | 23 +++++---------
 .../tests/functional/api/test_credential.py   | 31 +++++++++++++++++++
 awx/main/tests/functional/conftest.py         |  4 +--
 3 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index e5ca8fa0ec..582a402adb 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -654,23 +654,14 @@ class CredentialAccess(BaseAccess):
         if not obj:
             return False
 
-        # Check access to organizations
-        organization_pk = get_pk_from_dict(data, 'organization')
-        if data and 'organization' in data and organization_pk != getattr(obj, 'organization_id', None):
-            if organization_pk:
-                # admin permission to destination organization is mandatory
-                new_organization_obj = get_object_or_400(Organization, pk=organization_pk)
-                if self.user not in new_organization_obj.admin_role:
-                    return False
-            # admin permission to existing organization is also mandatory
-            if obj.organization:
-                if self.user not in obj.organization.admin_role:
-                    return False
-
-        if obj.organization:
-            if self.user in obj.organization.admin_role:
-                return True
+        # Cannot change the organization for a credential after it's been created
+        if 'organization' in data:
+            organization_pk = get_pk_from_dict(data, 'organization')
+            if (organization_pk and (not obj.organization or organization_pk != obj.organization.id)) \
+                    or (not organization_pk and obj.organization):
+                return False
 
+        print(self.user in obj.admin_role)
         return self.user in obj.admin_role
 
     def can_delete(self, obj):
diff --git a/awx/main/tests/functional/api/test_credential.py b/awx/main/tests/functional/api/test_credential.py
index 8031a493c5..3c79e62e33 100644
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@@ -312,6 +312,37 @@ def test_list_created_org_credentials(post, get, organization, org_admin, org_me
     assert response.data['count'] == 0
 
 
+@pytest.mark.django_db
+def test_cant_change_organization(patch, credential, organization, org_admin):
+    credential.organization = organization
+    credential.save()
+
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name',
+    }, org_admin)
+    assert response.status_code == 200
+
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name2',
+        'organization': organization.id, # fine for it to be the same
+    }, org_admin)
+    assert response.status_code == 200
+
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name3',
+        'organization': None
+    }, org_admin)
+    assert response.status_code == 403
+
+@pytest.mark.django_db
+def test_cant_add_organization(patch, credential, organization, org_admin):
+    assert credential.organization is None
+    response = patch(reverse('api:credential_detail', args=(organization.id,)), {
+        'name': 'Some new name',
+        'organization': organization.id
+    }, org_admin)
+    assert response.status_code == 403
+
 
 #
 # Openstack Credentials
diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py
index 5e67dda1b5..e5e1222a39 100644
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -160,7 +160,7 @@ def organization(instance):
 
 @pytest.fixture
 def credential():
-    return Credential.objects.create(kind='aws', name='test-cred')
+    return Credential.objects.create(kind='aws', name='test-cred', username='something', password='secret')
 
 @pytest.fixture
 def machine_credential():
@@ -168,7 +168,7 @@ def machine_credential():
 
 @pytest.fixture
 def org_credential(organization):
-    return Credential.objects.create(kind='aws', name='test-cred', organization=organization)
+    return Credential.objects.create(kind='aws', name='test-cred', username='something', password='secret', organization=organization)
 
 @pytest.fixture
 def inventory(organization):