From c4e320bf7662a00311e82614d5142c8d14054935 Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Tue, 3 Mar 2015 15:08:18 -0500
Subject: [PATCH] rbac tweaks for scan jobs templates

---
 awx/main/access.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 2ee2f836d3..8c2ba23c67 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -851,8 +851,10 @@ class JobTemplateAccess(BaseAccess):
         )
         # FIXME: Check active status on related objects!
         org_admin_qs = base_qs.filter(
-            project__organizations__admins__in=[self.user]
+            Q(project__organizations__admins__in=[self.user]) |
+            (Q(project__isnull=True) & Q(job_type=PERM_INVENTORY_SCAN) & Q(inventory__organization__admins__in=[self.user]))
         )
+
         allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
         allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
 
@@ -1048,8 +1050,10 @@ class JobAccess(BaseAccess):
             credential_id__in=credential_ids,
         )
         org_admin_qs = base_qs.filter(
-            project__organizations__admins__in=[self.user]
+            Q(project__organizations__admins__in=[self.user]) |
+            (Q(project__isnull=True) & Q(job_type=PERM_INVENTORY_SCAN) & Q(inventory__organization__admins__in=[self.user]))
         )
+
         allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
         allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
         team_ids = set(Team.objects.filter(users__in=[self.user]).values_list('id', flat=True))