Better control what JT admins are allowed to do

This addresses #1981 which says that JT admins can make modifications to
a job template freely if they're just changing non functional things
like name, description, forks, verbosity, etc, while requiring them to
have access to all functional components if they're going to make any
changes to the functionality - in specific, any changes to the
inventory, project, playbook, or credentials requires that the user have
the appropriate use access on all of those things in order to make the
change.

awx/main/tests/factories/fixtures.py

@@ -107,7 +107,7 @@ def mk_job_template(name, job_type='run',
                     organization=None, inventory=None,
                     credential=None, persisted=True,
                     project=None):
-    jt = JobTemplate(name=name, job_type=job_type)
+    jt = JobTemplate(name=name, job_type=job_type, playbook='mocked')
 
     jt.inventory = inventory
     if jt.inventory is None:

awx/main/tests/functional/api/test_job_templates.py

@@ -0,0 +1,109 @@
+import mock # noqa
+import pytest
+from awx.main.models.projects import ProjectOptions
+
+
+from django.core.urlresolvers import reverse
+
+def decorators(func):
+    @property
+    def project_playbooks(self):
+        return ['mocked', 'othermocked']
+
+    return pytest.mark.django_db(mock.patch.object(ProjectOptions, "playbooks", project_playbooks)(func))
+
+@decorators
+@pytest.mark.parametrize(
+    "grant_project, grant_credential, grant_inventory, expect", [
+        (True, True, True, 201),
+        (True, True, False, 403),
+        (True, False, True, 403),
+        (False, True, True, 403),
+    ]
+)
+def test_create(post, project, machine_credential, inventory, alice, grant_project, grant_credential, grant_inventory, expect):
+    if grant_project:
+        project.use_role.members.add(alice)
+    if grant_credential:
+        machine_credential.use_role.members.add(alice)
+    if grant_inventory:
+        inventory.use_role.members.add(alice)
+
+    post(reverse('api:job_template_list'), {
+        'name': 'Some name',
+        'project': project.id,
+        'credential': machine_credential.id,
+        'inventory': inventory.id,
+        'playbook': 'mocked',
+    }, alice, expect=expect)
+
+@decorators
+@pytest.mark.parametrize(
+    "grant_project, grant_credential, grant_inventory, expect", [
+        (True, True, True, 200),
+        (True, True, False, 403),
+        (True, False, True, 403),
+        (False, True, True, 403),
+    ]
+)
+def test_edit_sensitive_fields(patch, job_template_factory, alice, grant_project, grant_credential, grant_inventory, expect):
+    objs = job_template_factory('jt', organization='org1', project='prj', inventory='inv', credential='cred')
+    objs.job_template.admin_role.members.add(alice)
+
+    if grant_project:
+        objs.project.use_role.members.add(alice)
+    if grant_credential:
+        objs.credential.use_role.members.add(alice)
+    if grant_inventory:
+        objs.inventory.use_role.members.add(alice)
+
+    patch(reverse('api:job_template_detail', args=(objs.job_template.id,)), {
+        'name': 'Some name',
+        'project': objs.project.id,
+        'credential': objs.credential.id,
+        'inventory': objs.inventory.id,
+        'playbook': 'othermocked',
+    }, alice, expect=expect)
+
+@decorators
+def test_edit_playbook(patch, job_template_factory, alice):
+    objs = job_template_factory('jt', organization='org1', project='prj', inventory='inv', credential='cred')
+    objs.job_template.admin_role.members.add(alice)
+    objs.project.use_role.members.add(alice)
+    objs.credential.use_role.members.add(alice)
+    objs.inventory.use_role.members.add(alice)
+
+    patch(reverse('api:job_template_detail', args=(objs.job_template.id,)), {
+        'playbook': 'othermocked',
+    }, alice, expect=200)
+
+    objs.inventory.use_role.members.remove(alice)
+    patch(reverse('api:job_template_detail', args=(objs.job_template.id,)), {
+        'playbook': 'mocked',
+    }, alice, expect=403)
+
+@decorators
+def test_edit_nonsenstive(patch, job_template_factory, alice):
+    objs = job_template_factory('jt', organization='org1', project='prj', inventory='inv', credential='cred')
+    jt = objs.job_template
+    jt.admin_role.members.add(alice)
+
+    res = patch(reverse('api:job_template_detail', args=(jt.id,)), {
+        'name': 'updated',
+        'description': 'bar',
+        'forks': 14,
+        'limit': 'something',
+        'verbosity': 5,
+        'extra_vars': '--',
+        'job_tags': 'sometags',
+        'force_handlers': True,
+        'skip_tags': True,
+        'ask_variables_on_launch':True,
+        'ask_tags_on_launch':True,
+        'ask_job_type_on_launch':True,
+        'ask_inventory_on_launch':True,
+        'ask_credential_on_launch': True,
+        'survey_enabled':True,
+    }, alice, expect=200)
+    print(res.data)
+    assert res.data['name'] == 'updated'