From 4831cde39fb9071713b559b3ddd1ec9440131a0a Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 20 Mar 2019 15:03:18 -0400
Subject: [PATCH] fix bug where cred org permission was not checked

---
 awx/main/access.py                                | 15 ++++++++++-----
 awx/main/tests/functional/test_rbac_credential.py | 13 +++++++++++++
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 1bce7f4f54..78aaa2f5d2 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1168,15 +1168,20 @@ class CredentialAccess(BaseAccess):
             return True
         if data and data.get('user', None):
             user_obj = get_object_from_data('user', User, data)
-            return bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False))
+            if not bool(self.user == user_obj or UserAccess(self.user).can_admin(user_obj, None, check_setting=False)):
+                return False
         if data and data.get('team', None):
             team_obj = get_object_from_data('team', Team, data)
-            return check_user_access(self.user, Team, 'change', team_obj, None)
+            if not check_user_access(self.user, Team, 'change', team_obj, None):
+                return False
         if data and data.get('organization', None):
             organization_obj = get_object_from_data('organization', Organization, data)
-            return any([check_user_access(self.user, Organization, 'change', organization_obj, None),
-                        self.user in organization_obj.credential_admin_role])
-        return False
+            if not any([check_user_access(self.user, Organization, 'change', organization_obj, None),
+                        self.user in organization_obj.credential_admin_role]):
+                return False
+        if not any(data.get(key, None) for key in ('user', 'team', 'organization')):
+            return False  # you have to provide 1 owner field
+        return True
 
     @check_superuser
     def can_use(self, obj):
diff --git a/awx/main/tests/functional/test_rbac_credential.py b/awx/main/tests/functional/test_rbac_credential.py
index b114f1b8ba..f37260eb65 100644
--- a/awx/main/tests/functional/test_rbac_credential.py
+++ b/awx/main/tests/functional/test_rbac_credential.py
@@ -74,6 +74,19 @@ def test_org_credential_access_admin(role_name, alice, org_credential):
         'organization': org_credential.organization.pk})
 
 
+@pytest.mark.django_db
+def test_org_and_user_credential_access(alice, organization):
+    """Address specific bug where any user could make an org credential
+    in another org without any permissions to that org
+    """
+    # Owner is both user and org, but org permission should still be checked
+    assert not CredentialAccess(alice).can_add({
+        'name': 'New credential.',
+        'user': alice.pk,
+        'organization': organization.pk
+    })
+
+
 @pytest.mark.django_db
 def test_org_credential_access_member(alice, org_credential):
     org_credential.admin_role.members.add(alice)