From cb83ee3ec6e96417af748cf318781ef6a168edd8 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Tue, 22 Mar 2016 11:40:06 -0400
Subject: [PATCH] Tightened user can_admin access so only sys admins and org
 admins can admin users

---
 awx/main/access.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 73f8793085..d07907d16c 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -244,7 +244,7 @@ class UserAccess(BaseAccess):
         # Admin implies changing all user fields.
         if self.user.is_superuser:
             return True
-        return obj.accessible_by(self.user, {'create': True, 'write':True, 'update':True, 'read':True})
+        return Organization.objects.filter(member_role__members=obj, admin_role__members=self.user).exists()
 
     def can_delete(self, obj):
         if obj == self.user: