cover testing of new 3.3 org roles for user security fix

awx/main/access.py

@@ -519,12 +519,7 @@ class UserAccess(BaseAccess):
     def user_membership_roles(self, u):
         return Role.objects.filter(
             content_type=ContentType.objects.get_for_model(Organization),
-            role_field__in=[
+            role_field__in=Organization.member_role.field.parent_role + ['member_role'],
-                'admin_role', 'member_role',
-                'execute_role', 'project_admin_role', 'inventory_admin_role',
-                'credential_admin_role', 'workflow_admin_role',
-                'notification_admin_role'
-            ],
             members=u
         )
 
@@ -2531,7 +2526,8 @@ class RoleAccess(BaseAccess):
         # administrators of that Organization the ability to edit that user. To prevent
         # unwanted escalations lets ensure that the Organization administartor has the abilty
         # to admin the user being added to the role.
-        if isinstance(obj.content_object, Organization) and obj.role_field in ['member_role', 'admin_role']:
+        if (isinstance(obj.content_object, Organization) and
+                obj.role_field in (Organization.member_role.field.parent_role + ['member_role'])):
             if not UserAccess(self.user).can_admin(sub_obj, None, allow_orphans=True):
                 return False
 

awx/main/tests/functional/test_rbac_role.py

@@ -67,6 +67,7 @@ def test_org_user_role_attach(user, organization, inventory):
 
     role_access = RoleAccess(admin)
     assert not role_access.can_attach(organization.member_role, nonmember, 'members', None)
+    assert not role_access.can_attach(organization.notification_admin_role, nonmember, 'members', None)
     assert not role_access.can_attach(organization.admin_role, nonmember, 'members', None)