From e0371f374540f3b4cafb1e186ea3313fc23320af Mon Sep 17 00:00:00 2001
From: Akita Noek <akitanoek@gmail.com>
Date: Mon, 15 Feb 2016 10:43:50 -0500
Subject: [PATCH] Switched back to multiple-organizations for Projects

---
 awx/main/migrations/_rbac.py                  | 11 +++++-----
 awx/main/models/organization.py               |  4 ----
 awx/main/models/projects.py                   | 12 ++---------
 awx/main/tests/functional/conftest.py         |  4 +++-
 .../tests/functional/test_rbac_project.py     | 21 ++++++++++++++++---
 5 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py
index 76e4f83336..ddddb5c0a2 100644
--- a/awx/main/migrations/_rbac.py
+++ b/awx/main/migrations/_rbac.py
@@ -108,7 +108,7 @@ def migrate_projects(apps, schema_editor):
     Permission = apps.get_model('main', 'Permission')
 
     for project in Project.objects.all():
-        if project.organization is None and project.created_by is not None:
+        if project.organizations.count() == 0 and project.created_by is not None:
             project.admin_role.members.add(project.created_by)
             migrations[project.name]['users'].add(project.created_by)
 
@@ -116,10 +116,11 @@ def migrate_projects(apps, schema_editor):
             team.member_role.children.add(project.member_role)
             migrations[project.name]['teams'].add(team)
 
-        if project.organization is not None:
-            for user in project.organization.users.all():
-                project.member_role.members.add(user)
-                migrations[project.name]['users'].add(user)
+        if project.organizations.count() > 0:
+            for org in project.organizations.all():
+                for user in org.users.all():
+                    project.member_role.members.add(user)
+                    migrations[project.name]['users'].add(user)
 
         for perm in Permission.objects.filter(project=project):
             # All perms at this level just imply a user or team can read
diff --git a/awx/main/models/organization.py b/awx/main/models/organization.py
index 2648784236..2b974a6317 100644
--- a/awx/main/models/organization.py
+++ b/awx/main/models/organization.py
@@ -43,10 +43,6 @@ class Organization(CommonModel, ResourceMixin):
         blank=True,
         related_name='admin_of_organizations',
     )
-
-    # TODO: This field is deprecated. In 3.0 all projects will have exactly one
-    # organization parent, the foreign key field representing that has been
-    # moved to the Project model.
     projects = models.ManyToManyField(
         'Project',
         blank=True,
diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py
index 593f3e40ca..0d3f628575 100644
--- a/awx/main/models/projects.py
+++ b/awx/main/models/projects.py
@@ -196,14 +196,6 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
         app_label = 'main'
         ordering = ('id',)
 
-    organization = models.ForeignKey(
-        'Organization',
-        blank=False,
-        null=True,
-        on_delete=models.SET_NULL,
-        related_name='project_list', # TODO: this should eventually be refactored
-                                     # back to 'projects' - anoek 2016-01-28
-    )
     scm_delete_on_next_update = models.BooleanField(
         default=False,
         editable=False,
@@ -217,13 +209,13 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
     )
     admin_role = ImplicitRoleField(
         role_name='Project Administrator',
-        parent_role='organization.admin_role',
+        parent_role='organizations.admin_role',
         resource_field='resource',
         permissions = {'all': True}
     )
     auditor_role = ImplicitRoleField(
         role_name='Project Auditor',
-        parent_role='organization.auditor_role',
+        parent_role='organizations.auditor_role',
         resource_field='resource',
         permissions = {'read': True}
     )
diff --git a/awx/main/tests/functional/conftest.py b/awx/main/tests/functional/conftest.py
index ca30f8315e..8ff971c795 100644
--- a/awx/main/tests/functional/conftest.py
+++ b/awx/main/tests/functional/conftest.py
@@ -29,7 +29,9 @@ def team(organization):
 
 @pytest.fixture
 def project(organization):
-    return Project.objects.create(name="test-project", organization=organization, description="test-project-desc")
+    prj = Project.objects.create(name="test-project",  description="test-project-desc")
+    prj.organizations.add(organization)
+    return prj
 
 @pytest.fixture
 def user_project(user):
diff --git a/awx/main/tests/functional/test_rbac_project.py b/awx/main/tests/functional/test_rbac_project.py
index 95442036e4..f7625aaa31 100644
--- a/awx/main/tests/functional/test_rbac_project.py
+++ b/awx/main/tests/functional/test_rbac_project.py
@@ -3,10 +3,16 @@ import pytest
 from awx.main.migrations import _rbac as rbac
 from awx.main.models import Permission
 from django.apps import apps
+from awx.main.migrations import _old_access as old_access
+
 
 @pytest.mark.django_db
 def test_project_user_project(user_project, project, user):
     u = user('owner')
+
+    assert old_access.check_user_access(u, user_project.__class__, 'read', user_project)
+    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+
     assert user_project.accessible_by(u, {'read': True}) is False
     assert project.accessible_by(u, {'read': True}) is False
     migrations = rbac.migrate_projects(apps, None)
@@ -20,11 +26,14 @@ def test_project_accessible_by_sa(user, project):
     u = user('systemadmin', is_superuser=True)
 
     assert project.accessible_by(u, {'read': True}) is False
+    rbac.migrate_organization(apps, None)
     su_migrations = rbac.migrate_users(apps, None)
     migrations = rbac.migrate_projects(apps, None)
     assert len(su_migrations) == 1
     assert len(migrations[project.name]['users']) == 0
     assert len(migrations[project.name]['teams']) == 0
+    print(project.admin_role.ancestors.all())
+    print(project.admin_role.ancestors.all())
     assert project.accessible_by(u, {'read': True, 'write': True}) is True
 
 @pytest.mark.django_db
@@ -58,6 +67,7 @@ def test_project_team(user, team, project):
     assert project.accessible_by(member, {'read': True}) is False
 
     rbac.migrate_team(apps, None)
+    rbac.migrate_organization(apps, None)
     migrations = rbac.migrate_projects(apps, None)
 
     assert len(migrations[project.name]['users']) == 0
@@ -66,13 +76,18 @@ def test_project_team(user, team, project):
     assert project.accessible_by(nonmember, {'read': True}) is False
 
 @pytest.mark.django_db
-def test_project_explicit_permission(user, team, project):
-    u = user('user')
-    p = Permission(user=u, project=project, permission_type='check')
+def test_project_explicit_permission(user, team, project, organization):
+    u = user('prjuser')
+
+    assert old_access.check_user_access(u, project.__class__, 'read', project) is False
+
+    organization.users.add(u)
+    p = Permission(user=u, project=project, permission_type='create', name='Perm name')
     p.save()
 
     assert project.accessible_by(u, {'read': True}) is False
 
+    rbac.migrate_organization(apps, None)
     migrations = rbac.migrate_projects(apps, None)
 
     assert len(migrations[project.name]['users']) == 1