From 133cca14467c492e610cebb665017116dd5d1249 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Thu, 5 Apr 2018 07:36:00 -0400
Subject: [PATCH] fix WFJT user_capabilities special-case

---
 awx/main/access.py                                |  7 +++----
 .../tests/functional/api/test_rbac_displays.py    | 15 +++++++++++++--
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 23f182177d..2bad844201 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -348,10 +348,9 @@ class BaseAccess(object):
                 if obj.validation_errors:
                     user_capabilities[display_method] = False
                     continue
-            elif isinstance(obj, (WorkflowJobTemplate, WorkflowJob)):
-                if not feature_enabled('workflows'):
-                    user_capabilities[display_method] = (display_method == 'delete')
-                    continue
+            elif isinstance(obj, (WorkflowJobTemplate, WorkflowJob)) and (not feature_enabled('workflows')):
+                user_capabilities[display_method] = (display_method == 'delete')
+                continue
             elif display_method == 'copy' and isinstance(obj, WorkflowJobTemplate) and obj.organization_id is None:
                 user_capabilities[display_method] = self.user.is_superuser
                 continue
diff --git a/awx/main/tests/functional/api/test_rbac_displays.py b/awx/main/tests/functional/api/test_rbac_displays.py
index c0931b50da..01de27bbe7 100644
--- a/awx/main/tests/functional/api/test_rbac_displays.py
+++ b/awx/main/tests/functional/api/test_rbac_displays.py
@@ -3,8 +3,8 @@ import pytest
 from awx.api.versioning import reverse
 from django.test.client import RequestFactory
 
-from awx.main.models import Role, Group, UnifiedJobTemplate, JobTemplate
-from awx.main.access import access_registry
+from awx.main.models import Role, Group, UnifiedJobTemplate, JobTemplate, WorkflowJobTemplate
+from awx.main.access import access_registry, WorkflowJobTemplateAccess
 from awx.main.utils import prefetch_page_capabilities
 from awx.api.serializers import JobTemplateSerializer, UnifiedJobTemplateSerializer
 
@@ -322,6 +322,17 @@ def test_prefetch_jt_copy_capability(job_template, project, inventory, rando):
     assert mapping[job_template.id] == {'copy': True}
 
 
+@pytest.mark.django_db
+def test_workflow_orphaned_capabilities(rando):
+    wfjt = WorkflowJobTemplate.objects.create(name='test', organization=None)
+    wfjt.admin_role.members.add(rando)
+    access = WorkflowJobTemplateAccess(rando)
+    assert not access.get_user_capabilities(
+        wfjt, method_list=['edit', 'copy'],
+        capabilities_cache={'copy': True}
+    )['copy']
+
+
 @pytest.mark.django_db
 def test_manual_projects_no_update(manual_project, get, admin_user):
     response = get(reverse('api:project_detail', kwargs={'pk': manual_project.pk}), admin_user, expect=200)