From 0fcc9abd696929817a3bc40b36b21fe954372dea Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Tue, 12 Jul 2016 10:27:30 -0400
Subject: [PATCH 1/2] allow org auditors to see notifications

---
 awx/main/access.py                              |  5 ++++-
 awx/main/tests/functional/conftest.py           | 14 +++++++++++++-
 .../tests/functional/test_rbac_notifications.py | 17 ++++++++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index b1e7c2fd7d..40eb3db2e1 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1420,7 +1420,10 @@ class NotificationAccess(BaseAccess):
         qs = self.model.objects.all()
         if self.user.is_superuser or self.user.is_system_auditor:
             return qs
-        return self.model.objects.filter(notification_template__organization__in=Organization.accessible_objects(self.user, 'admin_role'))
+        return self.model.objects.filter(
+            Q(notification_template__organization__in=self.user.admin_of_organizations) |
+            Q(notification_template__organization__in=self.user.auditor_of_organizations)
+        ).distinct()
 
     def can_read(self, obj):
         return self.user.can_access(NotificationTemplate, 'read', obj.notification_template)
diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py
index 3c335a2840..fdc3d3d95e 100644
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -38,7 +38,10 @@ from awx.main.models.organization import (
     Team,
 )
 
-from awx.main.models.notifications import NotificationTemplate
+from awx.main.models.notifications import (
+    NotificationTemplate,
+    Notification
+)
 
 '''
 Disable all django model signals.
@@ -193,6 +196,15 @@ def notification_template(organization):
                                                notification_configuration=dict(url="http://localhost",
                                                                                headers={"Test": "Header"}))
 
+@pytest.fixture
+def notification(notification_template):
+    return Notification.objects.create(notification_template=notification_template,
+                                       status='successful',
+                                       notifications_sent=1,
+                                       notification_type='email',
+                                       recipients='admin@admin.com',
+                                       subject='email subject')
+
 @pytest.fixture
 def job_with_secret_key(job_with_secret_key_factory):
     return job_with_secret_key_factory(persisted=True)
diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py
index cafef084e6..1af0d06818 100644
--- a/awx/main/tests/functional/test_rbac_notifications.py
+++ b/awx/main/tests/functional/test_rbac_notifications.py
@@ -1,6 +1,9 @@
 import pytest
 
-from awx.main.access import NotificationTemplateAccess
+from awx.main.access import (
+    NotificationTemplateAccess,
+    NotificationAccess
+)
 
 @pytest.mark.django_db
 def test_notification_template_get_queryset_orgmember(notification_template, user):
@@ -86,3 +89,15 @@ def test_notificaiton_template_orphan_access_org_admin(notification_template, or
     notification_template.organization = None
     access = NotificationTemplateAccess(org_admin)
     assert not access.can_change(notification_template, {'organization': organization.id})
+
+@pytest.mark.django_db
+def test_notification_access_org_admin(notification, org_admin):
+    access = NotificationAccess(org_admin)
+    assert access.get_queryset().count() == 1
+    assert access.can_read(notification)
+
+@pytest.mark.django_db
+def test_notification_access_org_auditor(notification, org_auditor):
+    access = NotificationAccess(org_auditor)
+    assert access.get_queryset().count() == 1
+    assert access.can_read(notification)

From 36286bcda2f778148ec098b37ca544ba8773b41c Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Tue, 12 Jul 2016 11:14:29 -0400
Subject: [PATCH 2/2] notifier rbac test made consistent with others

---
 awx/main/tests/functional/conftest.py         |  2 +-
 .../functional/test_rbac_notifications.py     | 20 +++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py
index fdc3d3d95e..f970adc2e7 100644
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -202,7 +202,7 @@ def notification(notification_template):
                                        status='successful',
                                        notifications_sent=1,
                                        notification_type='email',
-                                       recipients='admin@admin.com',
+                                       recipients='admin@redhat.com',
                                        subject='email subject')
 
 @pytest.fixture
diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py
index 1af0d06818..a9a5e7c5f9 100644
--- a/awx/main/tests/functional/test_rbac_notifications.py
+++ b/awx/main/tests/functional/test_rbac_notifications.py
@@ -91,13 +91,29 @@ def test_notificaiton_template_orphan_access_org_admin(notification_template, or
     assert not access.can_change(notification_template, {'organization': organization.id})
 
 @pytest.mark.django_db
-def test_notification_access_org_admin(notification, org_admin):
+def test_notification_access_get_queryset_org_admin(notification, org_admin):
     access = NotificationAccess(org_admin)
     assert access.get_queryset().count() == 1
+
+@pytest.mark.django_db
+def test_notification_access_get_queryset_org_auditor(notification, org_auditor):
+    access = NotificationAccess(org_auditor)
+    assert access.get_queryset().count() == 1
+
+@pytest.mark.django_db
+def test_notification_access_system_admin(notification, admin):
+    access = NotificationAccess(admin)
     assert access.can_read(notification)
+    assert access.can_delete(notification)
+
+@pytest.mark.django_db
+def test_notification_access_org_admin(notification, org_admin):
+    access = NotificationAccess(org_admin)
+    assert access.can_read(notification)
+    assert access.can_delete(notification)
 
 @pytest.mark.django_db
 def test_notification_access_org_auditor(notification, org_auditor):
     access = NotificationAccess(org_auditor)
-    assert access.get_queryset().count() == 1
     assert access.can_read(notification)
+    assert not access.can_delete(notification)