From 69924c9544de62c2eb0d83947d4fdc9eebbb407a Mon Sep 17 00:00:00 2001
From: Rebeccah <rhunter@redhat.com>
Date: Fri, 27 Sep 2019 11:02:47 -0400
Subject: [PATCH 1/4] added in ability to delete a user if they are part of
 your organization

---
 awx/main/access.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/awx/main/access.py b/awx/main/access.py
index e9957656de..0435509c8e 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -663,6 +663,8 @@ class UserAccess(BaseAccess):
             return False
         if self.user.is_superuser:
             return True
+        if self.can_admin(obj, None):
+            return True
         return False
 
     def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):

From 075d1a25218768eb28d2d878df0c247a1c94dd91 Mon Sep 17 00:00:00 2001
From: Rebeccah <rhunter@redhat.com>
Date: Fri, 27 Sep 2019 12:26:00 -0400
Subject: [PATCH 2/4] removed superuser check since can_admin already checks
 that, and also added allow orphans so admins can delete orphaned users

---
 awx/main/access.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 0435509c8e..3eefb08723 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -661,9 +661,7 @@ class UserAccess(BaseAccess):
         if obj.is_superuser and super_users.count() == 1:
             # cannot delete the last active superuser
             return False
-        if self.user.is_superuser:
-            return True
-        if self.can_admin(obj, None):
+        if self.can_admin(obj, None, allow_orphans=True):
             return True
         return False
 

From 758529d7dda30fda71161d396f770ec3279727ba Mon Sep 17 00:00:00 2001
From: Rebeccah <rhunter@redhat.com>
Date: Fri, 27 Sep 2019 15:27:14 -0400
Subject: [PATCH 3/4] added in unit test for org admin deleting user

---
 awx/main/tests/functional/test_rbac_user.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/awx/main/tests/functional/test_rbac_user.py b/awx/main/tests/functional/test_rbac_user.py
index c161a79c2f..b5ad2c04b7 100644
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -150,3 +150,9 @@ def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
     organization.member_role.members.add(alice)
     access = UserAccess(org_admin)
     assert not access.can_change(obj=alice, data=dict(is_system_auditor='true'))
+
+
+@pytest.mark.django_db
+def test_org_admin_can_delete_user(org_admin, alice):
+    access = UserAccess(org_admin)
+    assert access.can_delete(alice)
\ No newline at end of file

From 28a119ca962bb7c3d72024538091acfdb241cf77 Mon Sep 17 00:00:00 2001
From: Rebeccah <rhunter@redhat.com>
Date: Fri, 27 Sep 2019 15:43:52 -0400
Subject: [PATCH 4/4] re-worked unit test into 3 seperate unit tests, one for
 orphans, one for group members, and one for multi-group members

---
 awx/main/tests/functional/test_rbac_user.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/awx/main/tests/functional/test_rbac_user.py b/awx/main/tests/functional/test_rbac_user.py
index b5ad2c04b7..ca3d268b18 100644
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -153,6 +153,21 @@ def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
 
 
 @pytest.mark.django_db
-def test_org_admin_can_delete_user(org_admin, alice):
+def test_org_admin_can_delete_orphan(org_admin, alice):
     access = UserAccess(org_admin)
-    assert access.can_delete(alice)
\ No newline at end of file
+    assert access.can_delete(alice)
+
+
+@pytest.mark.django_db
+def test_org_admin_can_delete_group_member(org_admin, org_member):
+    access = UserAccess(org_admin)
+    assert access.can_delete(org_member)
+
+
+@pytest.mark.django_db
+def test_org_admin_cannot_delete_member_attached_to_other_group(org_admin, org_member):
+    other_org = Organization.objects.create(name="other-org", description="other-org-desc")
+    access = UserAccess(org_admin)
+    other_org.member_role.members.add(org_member)
+    assert not access.can_delete(org_member)
+    
\ No newline at end of file