From f301cb0f9bc4f2b2c9e98234b142d4f083758af1 Mon Sep 17 00:00:00 2001
From: Aaron Tan <jangsutsr@gmail.com>
Date: Thu, 13 Oct 2016 17:06:37 -0400
Subject: [PATCH] Split unit tests & add access obj org sanity check.

---
 awx/main/access.py                               |  2 +-
 awx/main/tests/functional/test_rbac_inventory.py | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index c09b30e9a7..cfc881e4af 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -2053,7 +2053,7 @@ class CustomInventoryScriptAccess(BaseAccess):
     @check_superuser
     def can_admin(self, obj, data=None):
         org_pk = get_pk_from_dict(data, 'organization')
-        if obj and org_pk and obj.organization.pk != org_pk:
+        if obj and org_pk and obj.organization and obj.organization.pk != org_pk:
             org = get_object_or_400(Organization, pk=org_pk)
             if self.user not in org.admin_role:
                 return False
diff --git a/awx/main/tests/functional/test_rbac_inventory.py b/awx/main/tests/functional/test_rbac_inventory.py
index 5b28645922..4198d71565 100644
--- a/awx/main/tests/functional/test_rbac_inventory.py
+++ b/awx/main/tests/functional/test_rbac_inventory.py
@@ -15,7 +15,7 @@ from awx.main.access import (
 from django.apps import apps
 
 @pytest.mark.django_db
-def test_custom_inv_script_access(organization, user, organization_factory):
+def test_custom_inv_script_access(organization, user):
     u = user('user', False)
     ou = user('oadm', False)
 
@@ -30,8 +30,14 @@ def test_custom_inv_script_access(organization, user, organization_factory):
     organization.admin_role.members.add(ou)
     assert ou in custom_inv.admin_role
 
+@pytest.mark.django_db
+def test_modify_inv_script_foreign_org_admin(org_admin, organization, organization_factory, project):
+    custom_inv = CustomInventoryScript.objects.create(name='test', script='test', description='test')
+    custom_inv.organization = organization
+    custom_inv.save()
+
     other_org = organization_factory('not-my-org').organization
-    access = CustomInventoryScriptAccess(ou)
+    access = CustomInventoryScriptAccess(org_admin)
     assert not access.can_change(custom_inv, {'organization': other_org.pk, 'name': 'new-project'})
 
 @pytest.mark.django_db