From d5564e8d81003678a110ccba6f51a004aa22d581 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Mon, 19 Mar 2018 15:14:08 -0400
Subject: [PATCH] Fix user capabilities when MANAGE_ORGANIZATION_AUTH is
 disabled

---
 awx/main/access.py | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index adf7e083bd..691e202a93 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -335,6 +335,10 @@ class BaseAccess(object):
             if display_method not in method_list:
                 continue
 
+            if not settings.MANAGE_ORGANIZATION_AUTH and isinstance(obj, (Team, User)):
+                user_capabilities[display_method] = self.user.is_superuser
+                continue
+
             # Actions not possible for reason unrelated to RBAC
             # Cannot copy with validation errors, or update a manual group/project
             if display_method == 'copy' and isinstance(obj, JobTemplate):
@@ -352,9 +356,6 @@ class BaseAccess(object):
                 # Connot copy manual project without errors
                 user_capabilities[display_method] = False
                 continue
-            elif display_method == 'copy' and (isinstance(obj, Team) or isinstance(obj, User)):
-                user_capabilities[display_method] = False
-                continue
             elif display_method in ['start', 'schedule'] and isinstance(obj, Group):  # TODO: remove in 3.3
                 try:
                     if obj.deprecated_inventory_source and not obj.deprecated_inventory_source._can_update():
@@ -528,7 +529,7 @@ class UserAccess(BaseAccess):
 
     @check_superuser
     def can_admin(self, obj, data):
-        if not settings.MANAGE_ORGANIZTION_AUTH:
+        if not settings.MANAGE_ORGANIZATION_AUTH:
             return False
         return Organization.objects.filter(Q(member_role__members=obj) | Q(admin_role__members=obj),
                                            Q(admin_role__members=self.user)).exists()
@@ -546,7 +547,7 @@ class UserAccess(BaseAccess):
         return False
 
     def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
-        if not settings.MANAGE_ORGANIZTION_AUTH:
+        if not settings.MANAGE_ORGANIZTAION_AUTH:
             return False
 
         # Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment.
@@ -556,7 +557,7 @@ class UserAccess(BaseAccess):
         return super(UserAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
 
     def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
-        if not settings.MANAGE_ORGANIZTION_AUTH:
+        if not settings.MANAGE_ORGANIZATION_AUTH:
             return False
 
         if relationship == 'roles':