From 253606c8bf5fac08c5e7ed3654ed4178c10cd8f4 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Thu, 31 May 2018 08:30:41 -0400
Subject: [PATCH 1/2] allow managing credentials with external user management

---
 awx/main/access.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index ed2886f4b8..0f1a100946 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -537,8 +537,8 @@ class UserAccess(BaseAccess):
         return not self.user_membership_roles(u).exists()
 
     @check_superuser
-    def can_admin(self, obj, data, allow_orphans=False):
-        if not settings.MANAGE_ORGANIZATION_AUTH:
+    def can_admin(self, obj, data, allow_orphans=False, check_setting=True):
+        if check_setting and (not settings.MANAGE_ORGANIZATION_AUTH):
             return False
         if obj.is_superuser or obj.is_system_auditor:
             # must be superuser to admin users with system roles
@@ -1071,7 +1071,7 @@ class CredentialAccess(BaseAccess):
             return True
         if data and data.get('user', None):
             user_obj = get_object_from_data('user', User, data)
-            return check_user_access(self.user, User, 'change', user_obj, None)
+            return bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False))
         if data and data.get('team', None):
             team_obj = get_object_from_data('team', Team, data)
             return check_user_access(self.user, Team, 'change', team_obj, None)

From f692f0c70a3c90e53c7415f18faf6a7d15fd28f9 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Thu, 31 May 2018 08:58:38 -0400
Subject: [PATCH 2/2] test creating credential for self & org_member

---
 .../tests/functional/test_rbac_credential.py    | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py
index 783fdd9e82..2b134c18f5 100644
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@@ -1,5 +1,7 @@
 import pytest
 
+import mock
+
 from awx.main.access import CredentialAccess
 from awx.main.models.credential import Credential
 from django.contrib.auth.models import User
@@ -22,6 +24,21 @@ def test_credential_access_superuser():
     assert access.can_delete(credential)
 
 
+@pytest.mark.django_db
+def test_credential_access_self(rando):
+    access = CredentialAccess(rando)
+    assert access.can_add({'user': rando.pk})
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('ext_auth', [True, False])
+def test_credential_access_org_user(org_member, org_admin, ext_auth):
+    access = CredentialAccess(org_admin)
+    with mock.patch('awx.main.access.settings') as settings_mock:
+        settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
+        assert access.can_add({'user': org_member.pk})
+
+
 @pytest.mark.django_db
 def test_credential_access_auditor(credential, organization_factory):
     objects = organization_factory("org_cred_auditor",