From d7a41d9db75bf57358698a587c123eacb0dcff74 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Tue, 17 Jan 2017 09:29:34 -0500
Subject: [PATCH] limit workflow job delete access to org admin

---
 awx/main/access.py                              |  8 ++++----
 awx/main/tests/functional/test_rbac_workflow.py | 10 +++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 5bae7a5906..87eb783e5c 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1625,11 +1625,11 @@ class WorkflowJobAccess(BaseAccess):
     def can_change(self, obj, data):
         return False
 
+    @check_superuser
     def can_delete(self, obj):
-        if obj.workflow_job_template is None:
-            # only superusers can delete orphaned workflow jobs
-            return self.user.is_superuser
-        return self.user in obj.workflow_job_template.admin_role
+        return (obj.workflow_job_template and
+                obj.workflow_job_template.organization and
+                self.user in obj.workflow_job_template.organization.admin_role)
 
     def get_method_capability(self, method, obj, parent_obj):
         if method == 'start':
diff --git a/awx/main/tests/functional/test_rbac_workflow.py b/awx/main/tests/functional/test_rbac_workflow.py
index f2ce04404f..8d363305d5 100644
--- a/awx/main/tests/functional/test_rbac_workflow.py
+++ b/awx/main/tests/functional/test_rbac_workflow.py
@@ -86,11 +86,15 @@ class TestWorkflowJobTemplateNodeAccess:
 @pytest.mark.django_db
 class TestWorkflowJobAccess:
 
-    def test_wfjt_admin_delete(self, wfjt, workflow_job, rando):
-        wfjt.admin_role.members.add(rando)
-        access = WorkflowJobAccess(rando)
+    def test_org_admin_can_delete_workflow_job(self, workflow_job, org_admin):
+        access = WorkflowJobAccess(org_admin)
         assert access.can_delete(workflow_job)
 
+    def test_wfjt_admin_can_delete_workflow_job(self, workflow_job, rando):
+        workflow_job.workflow_job_template.admin_role.members.add(rando)
+        access = WorkflowJobAccess(rando)
+        assert not access.can_delete(workflow_job)
+
     def test_cancel_your_own_job(self, wfjt, workflow_job, rando):
         wfjt.execute_role.members.add(rando)
         workflow_job.created_by = rando