From 2e4c26a77f9679df2d48715bdb176fe3848994bd Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Tue, 17 May 2016 13:56:11 -0400
Subject: [PATCH 1/3] remove the ORing of local roles, check against
 organization roles

---
 awx/main/fields.py                            | 9 +--------
 awx/main/migrations/0008_v300_rbac_changes.py | 4 ++--
 awx/main/models/jobs.py                       | 4 ++--
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/awx/main/fields.py b/awx/main/fields.py
index b77452ca5b..92ed69672f 100644
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -225,14 +225,7 @@ class ImplicitRoleField(models.ForeignKey):
         parent_roles = set()
 
         for path in paths:
-            if type(path) == tuple:
-                for or_path in path:
-                    if or_path.startswith("singleton:"):
-                        raise Exception("Unable to use Singleton role in an OR context.")
-                    parents = resolve_role_field(instance, or_path)
-                    if len(parents) is not 0:
-                        break
-            elif path.startswith("singleton:"):
+            if path.startswith("singleton:"):
                 singleton_name = path[10:]
                 Role_ = get_current_apps().get_model('main', 'Role')
                 qs = Role_.objects.filter(singleton_name=singleton_name)
diff --git a/awx/main/migrations/0008_v300_rbac_changes.py b/awx/main/migrations/0008_v300_rbac_changes.py
index 0c6ec9627c..31a33c36a0 100644
--- a/awx/main/migrations/0008_v300_rbac_changes.py
+++ b/awx/main/migrations/0008_v300_rbac_changes.py
@@ -220,7 +220,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='jobtemplate',
             name='admin_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.admin_role', b'inventory.admin_role')], to='main.Role', null=b'True'),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'project.organization.admin_role', b'inventory.organization.admin_role'], to='main.Role', null=b'True'),
         ),
         migrations.AddField(
             model_name='jobtemplate',
@@ -230,7 +230,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='jobtemplate',
             name='read_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[(b'project.organization.auditor_role', b'inventory.organization.auditor_role'), b'execute_role', b'admin_role'], to='main.Role', null=b'True'),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', parent_role=[b'project.organization.auditor_role', b'inventory.organization.auditor_role', b'execute_role', b'admin_role'], to='main.Role', null=b'True'),
         ),
         migrations.AddField(
             model_name='organization',
diff --git a/awx/main/models/jobs.py b/awx/main/models/jobs.py
index e7a97755f3..1d9f78999e 100644
--- a/awx/main/models/jobs.py
+++ b/awx/main/models/jobs.py
@@ -221,13 +221,13 @@ class JobTemplate(UnifiedJobTemplate, JobOptions, ResourceMixin):
         default={},
     )
     admin_role = ImplicitRoleField(
-        parent_role=[('project.admin_role', 'inventory.admin_role')]
+        parent_role=['project.organization.admin_role', 'inventory.organization.admin_role']
     )
     execute_role = ImplicitRoleField(
         parent_role=['admin_role'],
     )
     read_role = ImplicitRoleField(
-        parent_role=[('project.organization.auditor_role', 'inventory.organization.auditor_role'), 'execute_role', 'admin_role'],
+        parent_role=['project.organization.auditor_role', 'inventory.organization.auditor_role', 'execute_role', 'admin_role'],
     )
 
     @classmethod

From f00825ecf04374920676243098748d4eecf7c0b7 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 18 May 2016 14:08:15 -0400
Subject: [PATCH 2/3] removed OR test, removed that functionality

---
 awx/main/tests/functional/test_rbac_core.py | 27 ---------------------
 1 file changed, 27 deletions(-)

diff --git a/awx/main/tests/functional/test_rbac_core.py b/awx/main/tests/functional/test_rbac_core.py
index 8001cb6d71..a8b9de0d13 100644
--- a/awx/main/tests/functional/test_rbac_core.py
+++ b/awx/main/tests/functional/test_rbac_core.py
@@ -221,30 +221,3 @@ def test_auto_parenting():
     assert org1.admin_role.is_ancestor_of(prj2.admin_role) is False
     assert org2.admin_role.is_ancestor_of(prj1.admin_role)
     assert org2.admin_role.is_ancestor_of(prj2.admin_role)
-
-@pytest.mark.django_db
-def test_OR_parents(alice, bob):
-    org1 = Organization.objects.create(name="org1")
-
-    inv = Inventory.objects.create(name='inv1', organization=org1)
-    prj = Project.objects.create(name='prj1', organization=org1)
-
-    jt1 = JobTemplate.objects.create(name='jt1', inventory=inv)
-    jt2 = JobTemplate.objects.create(name='jt2', project=prj)
-    jt3 = JobTemplate.objects.create(name='jt3', inventory=inv, project=prj)
-
-    assert bob not in jt1.admin_role
-    assert alice not in jt2.admin_role
-    assert bob not in jt3.admin_role
-    assert alice not in jt3.admin_role
-
-    inv.admin_role.members.add(bob)
-    assert bob in jt1.admin_role
-    assert alice not in jt1.admin_role
-
-    prj.admin_role.members.add(alice)
-    assert alice in jt2.admin_role
-    assert bob not in jt2.admin_role
-
-    assert alice in jt3.admin_role
-    assert bob not in jt3.admin_role

From 1810e80203129634491a6422fb19a83ae91124f0 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 18 May 2016 15:29:13 -0400
Subject: [PATCH 3/3] pep8 fixups, unused imports

---
 awx/main/tests/functional/test_rbac_core.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/awx/main/tests/functional/test_rbac_core.py b/awx/main/tests/functional/test_rbac_core.py
index a8b9de0d13..c1e3f0208d 100644
--- a/awx/main/tests/functional/test_rbac_core.py
+++ b/awx/main/tests/functional/test_rbac_core.py
@@ -4,8 +4,6 @@ from awx.main.models import (
     Role,
     Organization,
     Project,
-    JobTemplate,
-    Inventory,
 )