diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py index 287919ad31..5b28645922 100644 --- a/awx/main/tests/functional/test_rbac_inventory.py +++ b/awx/main/tests/functional/test_rbac_inventory.py @@ -9,12 +9,13 @@ from awx.main.models import ( from awx.main.access import ( InventoryAccess, HostAccess, - InventoryUpdateAccess + InventoryUpdateAccess, + CustomInventoryScriptAccess ) from django.apps import apps @pytest.mark.django_db -def test_custom_inv_script_access(organization, user): +def test_custom_inv_script_access(organization, user, organization_factory): u = user('user', False) ou = user('oadm', False) @@ -29,6 +30,10 @@ def test_custom_inv_script_access(organization, user): organization.admin_role.members.add(ou) assert ou in custom_inv.admin_role + other_org = organization_factory('not-my-org').organization + access = CustomInventoryScriptAccess(ou) + assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'}) + @pytest.mark.django_db def test_inventory_admin_user(inventory, permissions, user): u = user('admin', False) diff --git a/awx/main/tests/functional/test_rbac_project.py b/awx/main/tests/functional/test_rbac_project.py index ba88226b2e..2b342df198 100644 --- a/awx/main/tests/functional/test_rbac_project.py +++ b/awx/main/tests/functional/test_rbac_project.py @@ -217,3 +217,10 @@ def test_create_project_foreign_org_admin(org_admin, organization, organization_ other_org = organization_factory('not-my-org').organization access = ProjectAccess(org_admin) assert not access.can_add({'organization': other_org.pk, 'name': 'new-project'}) + +@pytest.mark.django_db +def test_modify_project_foreign_org_admin(org_admin, organization, organization_factory, project): + """Org admins can only modify projects in their own org.""" + other_org = organization_factory('not-my-org').organization + access = ProjectAccess(org_admin) + assert not access.can_change(project, {'organization': other_org.pk, 'name': 'new-project'})