From e53c2bdfa52f4a808c64d321b64a87a718e0ab99 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wwitzel@redhat.com>
Date: Tue, 12 Apr 2016 15:52:49 -0400
Subject: [PATCH] Fixes #1477

---
 awx/main/access.py | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 565a9be47f..7f5babaa0f 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -772,26 +772,18 @@ class JobTemplateAccess(BaseAccess):
         # Super users can start any job
         if self.user.is_superuser:
             return True
-        # Check to make sure both the inventory and project exist
+
+        # Must have an inventory if you are not a superuser.
         if obj.inventory is None:
             return False
+
         if obj.job_type == PERM_INVENTORY_SCAN:
-            if obj.project is None and obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}):
-                return True
-            if not obj.inventory.organization.accessible_by(self.user, {'read':True, 'update':True, 'write':True}):
-                return False
-        if obj.project is None:
-            return False
+            # Scan job with default project, must have JT execute or be org admin
+            if obj.project is None and obj.inventory:
+                return (obj.accessible_by(self.user, {'execute': True}) or
+                        obj.inventory.organization.accessible_by(self.user, ALL_PERMISSIONS))
 
-        # Given explicit execute access to this JobTemplate
-        if obj.accessible_by(self.user, {'execute':True}):
-            return True
-
-        # If the user has admin access to the project they can start a job
-        if obj.project.accessible_by(self.user, ALL_PERMISSIONS):
-            return True
-
-        return obj.inventory.accessible_by(self.user, {'read':True}) and obj.project.accessible_by(self.user, {'read':True})
+        return obj.accessible_by(self.user, {'execute':True})
 
     def can_change(self, obj, data):
         data_for_change = data
@@ -872,7 +864,7 @@ class JobAccess(BaseAccess):
         has_perm = False
         if obj.job_template is not None and obj.job_template.accessible_by(self.user, {'execute':True}):
             has_perm = True
-        dep_access_inventory = obj.inventory.accessible_by(self.user, {'read':True})
+        dep_access_inventory = obj.inventory.accessible_by(self.user, {'use':True})
         dep_access_project = obj.project is None or obj.project.accessible_by(self.user, {'read':True})
         return self.can_read(obj) and dep_access_inventory and dep_access_project and has_perm
 
@@ -895,7 +887,7 @@ class SystemJobAccess(BaseAccess):
     '''
     model = SystemJob
 
-class AdHocCommandAccess(BaseAccess): 
+class AdHocCommandAccess(BaseAccess):
     '''
     I can only see/run ad hoc commands when:
     - I am a superuser.