From d91af132c190516a0637dc133ae8866c28050492 Mon Sep 17 00:00:00 2001
From: Alan Rominger <arominge@redhat.com>
Date: Wed, 3 Jul 2024 14:07:03 -0400
Subject: [PATCH] Fix server error assigning teams EE object roles (#15320)

---
 awx/main/models/execution_environments.py     |  2 +-
 .../test_rbac_execution_environment.py        | 22 ++++++++++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/awx/main/models/execution_environments.py b/awx/main/models/execution_environments.py
index 137533d0f4..8f24a9d5e2 100644
--- a/awx/main/models/execution_environments.py
+++ b/awx/main/models/execution_environments.py
@@ -68,5 +68,5 @@ class ExecutionEnvironment(CommonModel):
             raise ValidationError({'user': _('User must have view permission to Execution Environment organization')})
         if actor._meta.model_name == 'team':
             organization_cls = self._meta.get_field('organization').related_model
-            if self.orgaanization not in organization_cls.access_qs(actor, 'view'):
+            if self.organization not in organization_cls.access_qs(actor, 'view'):
                 raise ValidationError({'team': _('Team must have view permission to Execution Environment organization')})
diff --git a/awx/main/tests/functional/test_rbac_execution_environment.py b/awx/main/tests/functional/test_rbac_execution_environment.py
index 9146bc9b7b..b8d27f7cc4 100644
--- a/awx/main/tests/functional/test_rbac_execution_environment.py
+++ b/awx/main/tests/functional/test_rbac_execution_environment.py
@@ -3,7 +3,7 @@ import pytest
 from django.contrib.contenttypes.models import ContentType
 
 from awx.main.access import ExecutionEnvironmentAccess
-from awx.main.models import ExecutionEnvironment, Organization
+from awx.main.models import ExecutionEnvironment, Organization, Team
 from awx.main.models.rbac import get_role_codenames
 
 from awx.api.versioning import reverse
@@ -77,6 +77,26 @@ def test_org_member_required_for_assignment(org_ee, ee_rd, rando, admin_user, po
     assert 'User must have view permission to Execution Environment organization' in str(r.data)
 
 
+@pytest.mark.django_db
+def test_team_view_permission_required(org_ee, ee_rd, rando, admin_user, post):
+    org2 = Organization.objects.create(name='a different team')
+    team = Team.objects.create(name='a team', organization=org2)
+    team.member_role.members.add(rando)
+    assert org_ee not in ExecutionEnvironmentAccess(rando).get_queryset()  # user can not view the EE
+    url = django_reverse('roleteamassignment-list')
+    r = post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=400)
+    assert 'Team must have view permission to Execution Environment organization' in str(r.data)
+
+    org_view_rd = RoleDefinition.objects.create_from_permissions(
+        name='organization viewer role', permissions=['view_organization'], content_type=ContentType.objects.get_for_model(Organization)
+    )
+    org_view_rd.give_permission(team, org_ee.organization)
+    assert org_ee in ExecutionEnvironmentAccess(rando).get_queryset()  # user can view the EE now
+    # can give object roles to the team now
+    post(url, {'role_definition': ee_rd.pk, 'team': team.id, 'object_id': org_ee.pk}, user=admin_user, expect=201)
+    assert rando.has_obj_perm(org_ee, 'change')
+
+
 @pytest.mark.django_db
 def test_give_object_permission_to_ee(org_ee, ee_rd, org_member, check_user_capabilities):
     access = ExecutionEnvironmentAccess(org_member)