From dfc154ed954b35f38a4b87cc6fc2e208df4bca49 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Fri, 1 Dec 2017 10:28:16 -0500
Subject: [PATCH] allow no-op case for vault_credential

---
 awx/api/serializers.py                        |  3 ++-
 .../functional/test_rbac_job_templates.py     | 22 +++++++++++++++++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index c4cdc3086d..a0dd5ada19 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -2446,7 +2446,8 @@ class JobOptionsSerializer(LabelsListMixin, BaseSerializer):
                     cred = v1_credentials[attr] = Credential.objects.get(pk=pk)
                     if cred.credential_type.kind != kind:
                         raise serializers.ValidationError({attr: error})
-                    if view and view.request and view.request.user not in cred.use_role:
+                    if ((not self.instance or cred.pk != getattr(self.instance, attr)) and
+                            view and view.request and view.request.user not in cred.use_role):
                         raise PermissionDenied()
 
         if 'project' in self.fields and 'playbook' in self.fields:
diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py
index e6e526bc06..91778a3c5d 100644
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -136,7 +136,7 @@ class TestJobTemplateCredentials:
             job_template, credential, 'credentials', {})
 
     def test_job_template_vault_cred_check(self, mocker, job_template, vault_credential, rando, project):
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
         job_template.admin_role.members.add(rando)
         # not allowed to use the vault cred
         # this is checked in the serializer validate method, not access.py
@@ -151,9 +151,27 @@ class TestJobTemplateCredentials:
                 'ask_inventory_on_launch': True,
             })
 
+    def test_job_template_vault_cred_check_noop(self, mocker, job_template, vault_credential, rando, project):
+        # TODO: remove in 3.4
+        job_template.credentials.add(vault_credential)
+        job_template.admin_role.members.add(rando)
+        # not allowed to use the vault cred
+        # this is checked in the serializer validate method, not access.py
+        view = mocker.MagicMock()
+        view.request = mocker.MagicMock()
+        view.request.user = rando
+        serializer = JobTemplateSerializer(job_template, context={'view': view})
+        # should not raise error:
+        serializer.validate({
+            'vault_credential': vault_credential.pk,
+            'project': project,  # necessary because job_template fixture fails validation
+            'playbook': 'helloworld.yml',
+            'ask_inventory_on_launch': True,
+        })
+
     def test_new_jt_with_vault(self, mocker, vault_credential, project, rando):
         project.admin_role.members.add(rando)
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
         # this is checked in the serializer validate method, not access.py
         view = mocker.MagicMock()
         view.request = mocker.MagicMock()