Add a settings that disallows org admins from seeing users outside of

their organization.   See: https://trello.com/c/M74W11hQ

awx/main/access.py

@@ -6,6 +6,7 @@ import sys
 import logging
 
 # Django
+from django.conf import settings
 from django.db.models import F, Q
 from django.contrib.auth.models import User
 
@@ -172,7 +173,7 @@ class UserAccess(BaseAccess):
         qs = self.model.objects.filter(is_active=True).distinct()
         if self.user.is_superuser:
             return qs
-        if self.user.admin_of_organizations.filter(active=True).exists():
+        if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.filter(active=True).exists():
             return qs
         return qs.filter(
             Q(pk=self.user.pk) |

awx/main/tests/users.py

@@ -244,6 +244,11 @@ class UsersTest(BaseTest):
         # Normal user is an org admin, can see all users.
         data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
         self.assertEquals(data2['count'], 4)
+        # Unless the setting ORG_ADMINS_CAN_SEE_ALL_USERS is False, in which case
+        # he can only see users in his org
+        settings.ORG_ADMINS_CAN_SEE_ALL_USERS = False
+        data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
+        self.assertEquals(data2['count'], 2)
         # Other use can only see users in his org.
         data1 = self.get(url, expect=200, auth=self.get_other_credentials())
         self.assertEquals(data1['count'], 2)

awx/settings/defaults.py

@@ -500,6 +500,8 @@ TASK_COMMAND_PORT = "tcp://127.0.0.1:6559"
 SOCKETIO_NOTIFICATION_PORT = "tcp://127.0.0.1:6557"
 SOCKETIO_LISTEN_PORT = 8080
 
+ORG_ADMINS_CAN_SEE_ALL_USERS = True
+
 # Logging configuration.
 LOGGING = {
     'version': 1,