From c63176109129ff399f61f0fa54bef3e6c6042a08 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominger@ansible.com>
Date: Mon, 13 Jun 2016 12:34:10 -0400
Subject: [PATCH] check team permissions if attaching user roles

---
 awx/main/access.py                                        | 7 ++++---
 awx/main/tests/functional/api/test_create_attach_views.py | 3 ---
 awx/main/tests/functional/test_rbac_role.py               | 1 -
 3 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 2a4f4746b0..17b787ea60 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -660,8 +660,9 @@ class TeamAccess(BaseAccess):
         return self.can_change(obj, None)
 
     def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
-        "Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment."
-        if relationship == 'member_role.children':
+        """Reverse obj and sub_obj, defer to RoleAccess if this is an assignment
+        of a resource role to the team."""
+        if isinstance(sub_obj, Role) and isinstance(sub_obj.content_object, ResourceMixin):
             role_access = RoleAccess(self.user)
             return role_access.can_attach(sub_obj, obj, 'member_role.parents',
                                           *args, **kwargs)
@@ -669,7 +670,7 @@ class TeamAccess(BaseAccess):
                                                   *args, **kwargs)
 
     def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
-        if relationship == 'member_role.children':
+        if isinstance(sub_obj, Role) and isinstance(sub_obj.content_object, ResourceMixin):
             role_access = RoleAccess(self.user)
             return role_access.can_unattach(sub_obj, obj, 'member_role.parents',
                                             *args, **kwargs)
diff --git a/awx/main/tests/functional/api/test_create_attach_views.py b/awx/main/tests/functional/api/test_create_attach_views.py
index 4882b8563a..5399356a21 100644
--- a/awx/main/tests/functional/api/test_create_attach_views.py
+++ b/awx/main/tests/functional/api/test_create_attach_views.py
@@ -15,7 +15,6 @@ def test_user_role_view_access(rando, inventory, mocker, post):
     mock_access.can_attach.assert_called_once_with(
         inventory.admin_role, rando, 'members', data,
         skip_sub_obj_read_check=False)
-    assert rando not in inventory.admin_role
 
 @pytest.mark.django_db
 def test_team_role_view_access(rando, team, inventory, mocker, post):
@@ -30,7 +29,6 @@ def test_team_role_view_access(rando, team, inventory, mocker, post):
     mock_access.can_attach.assert_called_once_with(
         inventory.admin_role, team, 'member_role.parents', data,
         skip_sub_obj_read_check=False)
-    assert team not in inventory.admin_role
 
 @pytest.mark.django_db
 def test_role_team_view_access(rando, team, inventory, mocker, post):
@@ -45,4 +43,3 @@ def test_role_team_view_access(rando, team, inventory, mocker, post):
     mock_access.assert_called_once_with(
         inventory.admin_role, team, 'member_role.parents', data,
         skip_sub_obj_read_check=False)
-    assert team not in inventory.admin_role
diff --git a/awx/main/tests/functional/test_rbac_role.py b/awx/main/tests/functional/test_rbac_role.py
index c180efc198..613051e395 100644
--- a/awx/main/tests/functional/test_rbac_role.py
+++ b/awx/main/tests/functional/test_rbac_role.py
@@ -30,4 +30,3 @@ def test_role_access_attach(rando, inventory):
     inventory.read_role.members.add(rando)
     access = RoleAccess(rando)
     assert not access.can_attach(inventory.admin_role, rando, 'members', None)
-