From eaa74b40c106f63c69f4766713f5f8522b4dd044 Mon Sep 17 00:00:00 2001
From: Rebeccah <rhunter@redhat.com>
Date: Wed, 17 Feb 2021 14:54:17 -0500
Subject: [PATCH] add org admins as able to control EEs even if they don't have
 the ee_admin role for the specific ee and prevent managed_by_tower EEs from
 being edited/deleted

---
 awx/main/access.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index a8a110e9c3..8817e7b917 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1325,7 +1325,7 @@ class ExecutionEnvironmentAccess(BaseAccess):
 
     def filtered_queryset(self):
         return ExecutionEnvironment.objects.filter(
-            Q(organization__in=Organization.accessible_pk_qs(self.user, 'execution_environment_admin_role')) |
+            Q(organization__in=Organization.accessible_pk_qs(self.user, 'member_role')) |
             Q(organization__isnull=True)
         ).distinct()
 
@@ -1337,9 +1337,11 @@ class ExecutionEnvironmentAccess(BaseAccess):
 
     @check_superuser
     def can_change(self, obj, data):
+        if obj.managed_by_tower is True:
+            raise PermissionDenied
         if obj and obj.organization_id is None:
             raise PermissionDenied
-        if self.user not in obj.organization.execution_environment_admin_role:
+        if self.user not in obj.organization.execution_environment_admin_role and self.user not in obj.organization.admin_role:
             raise PermissionDenied
         org_pk = get_pk_from_dict(data, 'organization')
         if obj and obj.organization_id != org_pk: