From d6adb1d39896adca47f3557bb5e8fd430c10b9aa Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Mon, 6 Oct 2014 15:59:05 -0400
Subject: [PATCH] Add a settings that disallows org admins from seeing users
 outside of their organization.   See: https://trello.com/c/M74W11hQ

---
 awx/main/access.py       | 3 ++-
 awx/main/tests/users.py  | 5 +++++
 awx/settings/defaults.py | 2 ++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index f894eba6f6..bb8912bd88 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -6,6 +6,7 @@ import sys
 import logging
 
 # Django
+from django.conf import settings
 from django.db.models import F, Q
 from django.contrib.auth.models import User
 
@@ -172,7 +173,7 @@ class UserAccess(BaseAccess):
         qs = self.model.objects.filter(is_active=True).distinct()
         if self.user.is_superuser:
             return qs
-        if self.user.admin_of_organizations.filter(active=True).exists():
+        if settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.filter(active=True).exists():
             return qs
         return qs.filter(
             Q(pk=self.user.pk) |
diff --git a/awx/main/tests/users.py b/awx/main/tests/users.py
index 50226925f3..c53dcaa632 100644
--- a/awx/main/tests/users.py
+++ b/awx/main/tests/users.py
@@ -244,6 +244,11 @@ class UsersTest(BaseTest):
         # Normal user is an org admin, can see all users.
         data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
         self.assertEquals(data2['count'], 4)
+        # Unless the setting ORG_ADMINS_CAN_SEE_ALL_USERS is False, in which case
+        # he can only see users in his org
+        settings.ORG_ADMINS_CAN_SEE_ALL_USERS = False
+        data2 = self.get(url, expect=200, auth=self.get_normal_credentials())
+        self.assertEquals(data2['count'], 2)
         # Other use can only see users in his org.
         data1 = self.get(url, expect=200, auth=self.get_other_credentials())
         self.assertEquals(data1['count'], 2)
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 88e067b62f..ea34f44161 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -500,6 +500,8 @@ TASK_COMMAND_PORT = "tcp://127.0.0.1:6559"
 SOCKETIO_NOTIFICATION_PORT = "tcp://127.0.0.1:6557"
 SOCKETIO_LISTEN_PORT = 8080
 
+ORG_ADMINS_CAN_SEE_ALL_USERS = True
+
 # Logging configuration.
 LOGGING = {
     'version': 1,