From d2ec880cad64e06a7b3ca061fc144bc9bcfb3f53 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 2 Apr 2018 15:49:10 -0400
Subject: [PATCH 1/2] allow org members to see teams in org

---
 .../0028_v330_members_can_see_teams.py        | 31 +++++++++++++++++++
 awx/main/models/organization.py               |  2 +-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 awx/main/migrations/0028_v330_members_can_see_teams.py

diff --git a/awx/main/migrations/0028_v330_members_can_see_teams.py b/awx/main/migrations/0028_v330_members_can_see_teams.py
new file mode 100644
index 0000000000..7d461c40dc
--- /dev/null
+++ b/awx/main/migrations/0028_v330_members_can_see_teams.py
@@ -0,0 +1,31 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.11 on 2018-04-02 19:18
+from __future__ import unicode_literals
+
+from django.db import migrations
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+import awx.main.fields
+
+from awx.main.migrations import ActivityStreamDisabledMigration
+from awx.main.migrations import _rbac as rbac
+from awx.main.migrations import _migration_utils as migration_utils
+
+
+class Migration(ActivityStreamDisabledMigration):
+
+    dependencies = [
+        ('main', '0027_v330_add_tower_verify'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='team',
+            name='read_role',
+            field=awx.main.fields.ImplicitRoleField(null=b'True', on_delete=django.db.models.deletion.CASCADE, parent_role=[b'organization.auditor_role', b'organization.member_role', b'member_role'], related_name='+', to='main.Role'),
+        ),
+        migrations.RunPython(migration_utils.set_current_apps_for_migrations),
+        migrations.RunPython(rbac.rebuild_role_hierarchy),
+    ]
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index db406fd2ed..8bf0701821 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -112,7 +112,7 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
         parent_role='admin_role',
     )
     read_role = ImplicitRoleField(
-        parent_role=['organization.auditor_role', 'member_role'],
+        parent_role=['organization.auditor_role', 'organization.member_role', 'member_role'],
     )
 
     def get_absolute_url(self, request=None):

From fe04f69e891078dd3e6eabd2171796c20ff08114 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Tue, 3 Apr 2018 07:50:49 -0400
Subject: [PATCH 2/2] update tests for org members seeing teams

---
 awx/main/tests/functional/api/test_organization_counts.py | 4 ++--
 awx/main/tests/functional/test_projects.py                | 6 +++---
 awx/main/tests/functional/test_rbac_api.py                | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/awx/main/tests/functional/api/test_organization_counts.py b/awx/main/tests/functional/api/test_organization_counts.py
index 9c4f536b09..67bbb81858 100644
--- a/awx/main/tests/functional/api/test_organization_counts.py
+++ b/awx/main/tests/functional/api/test_organization_counts.py
@@ -92,7 +92,7 @@ def test_org_counts_detail_member(resourced_organization, user, get):
         'job_templates': 0,
         'projects': 0,
         'inventories': 0,
-        'teams': 0
+        'teams': 5
     }
 
 
@@ -123,7 +123,7 @@ def test_org_counts_list_member(resourced_organization, user, get):
         'job_templates': 0,
         'projects': 0,
         'inventories': 0,
-        'teams': 0
+        'teams': 5
     }
 
 
diff --git a/awx/main/tests/functional/test_projects.py b/awx/main/tests/functional/test_projects.py
index 55cc484006..dab22a4d45 100644
--- a/awx/main/tests/functional/test_projects.py
+++ b/awx/main/tests/functional/test_projects.py
@@ -176,9 +176,9 @@ def test_team_project_list(get, team_project_list):
 
 
 @pytest.mark.django_db
-def test_team_project_list_fail1(get, team_project_list):
-    objects = team_project_list
-    res = get(reverse('api:team_projects_list', kwargs={'pk':objects.teams.team2.pk,}), objects.users.alice)
+def test_team_project_list_fail1(get, team, rando):
+    # user not in organization not allowed to see team-based views
+    res = get(reverse('api:team_projects_list', kwargs={'pk':team.pk,}), rando)
     assert res.status_code == 403
 
 
diff --git a/awx/main/tests/functional/test_rbac_api.py b/awx/main/tests/functional/test_rbac_api.py
index a390b4c54f..a67474a9bb 100644
--- a/awx/main/tests/functional/test_rbac_api.py
+++ b/awx/main/tests/functional/test_rbac_api.py
@@ -58,9 +58,9 @@ def test_get_roles_list_user(organization, inventory, team, get, user):
     assert organization.member_role.id in role_hash
     assert this_user.admin_role.id in role_hash
     assert custom_role.id in role_hash
+    assert team.member_role.id in role_hash
 
     assert inventory.admin_role.id not in role_hash
-    assert team.member_role.id not in role_hash
 
 
 @pytest.mark.django_db
@@ -151,7 +151,7 @@ def test_user_view_other_user_roles(organization, inventory, team, get, alice, b
     assert custom_role.id not in role_hash # doesn't show up in the user roles list, not an explicit grant
     assert Role.singleton(ROLE_SINGLETON_SYSTEM_ADMINISTRATOR).id not in role_hash
     assert inventory.admin_role.id not in role_hash
-    assert team.member_role.id not in role_hash # alice can't see this
+    assert team.member_role.id in role_hash # alice can see team in her org
 
     # again but this time alice is part of the team, and should be able to see the team role
     team.member_role.members.add(alice)