Merge pull request #5245 from AlanCoding/inv_src_cred

check related credential for inventory source

awx/main/access.py

@@ -755,7 +755,10 @@ class InventorySourceAccess(BaseAccess):
     def can_change(self, obj, data):
         # Checks for admin or change permission on group.
         if obj and obj.group:
-            return self.user.can_access(Group, 'change', obj.group, None)
+            return (
+                self.user.can_access(Group, 'change', obj.group, None) and
+                self.check_related('credential', Credential, data, obj=obj, role_field='use_role')
+            )
         # Can't change inventory sources attached to only the inventory, since
         # these are created automatically from the management command.
         else:

awx/main/tests/functional/test_rbac_inventory.py

@@ -8,6 +8,7 @@ from awx.main.models import (
 )
 from awx.main.access import (
     InventoryAccess,
+    InventorySourceAccess,
     HostAccess,
     InventoryUpdateAccess,
     CustomInventoryScriptAccess
@@ -271,4 +272,8 @@ def test_host_access(organization, inventory, group, user, group_factory):
     assert inventory_admin_access.can_read(host) is False
 
 
-
+@pytest.mark.django_db
+def test_inventory_source_credential_check(rando, inventory_source, credential):
+    inventory_source.group.inventory.admin_role.members.add(rando)
+    access = InventorySourceAccess(rando)
+    assert not access.can_change(inventory_source, {'credential': credential})