From 30b212b724f59be1bdbb429bae1066b2d67cd224 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 12 Dec 2016 11:11:25 -0500
Subject: [PATCH] fix RBAC bugs associated with WFJT copy

---
 awx/api/views.py                                |  8 +++++---
 awx/main/access.py                              |  2 +-
 awx/main/tests/functional/test_rbac_workflow.py | 13 +++++++++++++
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index b82cb424d6..23d94ea336 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -2888,11 +2888,13 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, GenericAPIView):
     def post(self, request, *args, **kwargs):
         obj = self.get_object()
         if not request.user.can_access(self.model, 'copy', obj):
-            return PermissionDenied()
-        new_wfjt = obj.user_copy(request.user)
+            raise PermissionDenied()
+        new_obj = obj.user_copy(request.user)
+        if request.user not in new_obj.admin_role:
+            new_obj.admin_role.members.add(request.user)
         data = OrderedDict()
         data.update(WorkflowJobTemplateSerializer(
-            new_wfjt, context=self.get_serializer_context()).to_representation(new_wfjt))
+            new_obj, context=self.get_serializer_context()).to_representation(new_obj))
         return Response(data, status=status.HTTP_201_CREATED)
 
 
diff --git a/awx/main/access.py b/awx/main/access.py
index b1e9beebc6..2ddc66ae02 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1549,7 +1549,7 @@ class WorkflowJobTemplateAccess(BaseAccess):
                     wfjt_errors[node.id] = node_errors
             self.messages.update(wfjt_errors)
 
-        return self.check_related('organization', Organization, {}, obj=obj, mandatory=True)
+        return self.check_related('organization', Organization, {'reference_obj': obj}, mandatory=True)
 
     def can_start(self, obj, validate_license=True):
         if validate_license:
diff --git a/awx/main/tests/functional/test_rbac_workflow.py b/awx/main/tests/functional/test_rbac_workflow.py
index 80eae5af8b..96137f315f 100644
--- a/awx/main/tests/functional/test_rbac_workflow.py
+++ b/awx/main/tests/functional/test_rbac_workflow.py
@@ -71,6 +71,19 @@ class TestWorkflowJobAccess:
         access = WorkflowJobAccess(rando)
         assert access.can_cancel(workflow_job)
 
+    def test_copy_permissions_org_admin(self, wfjt, org_admin, org_member):
+        admin_access = WorkflowJobTemplateAccess(org_admin)
+        assert admin_access.can_copy(wfjt)
+
+    def test_copy_permissions_user(self, wfjt, org_admin, org_member):
+        '''
+        Only org admins are able to add WFJTs, only org admins
+        are able to copy them
+        '''
+        wfjt.admin_role.members.add(org_member)
+        member_access = WorkflowJobTemplateAccess(org_member)
+        assert not member_access.can_copy(wfjt)
+
     def test_workflow_copy_warnings_inv(self, wfjt, rando, inventory):
         '''
         The user `rando` does not have access to the prompted inventory in a