Merge pull request #4753 from AlanCoding/WJ_delete

Limit workflow job delete access to org admin

awx/main/access.py

@@ -1625,11 +1625,11 @@ class WorkflowJobAccess(BaseAccess):
     def can_change(self, obj, data):
         return False
 
+    @check_superuser
     def can_delete(self, obj):
-        if obj.workflow_job_template is None:
+        return (obj.workflow_job_template and
-            # only superusers can delete orphaned workflow jobs
+                obj.workflow_job_template.organization and
-            return self.user.is_superuser
+                self.user in obj.workflow_job_template.organization.admin_role)
-        return self.user in obj.workflow_job_template.admin_role
 
     def get_method_capability(self, method, obj, parent_obj):
         if method == 'start':

awx/main/tests/functional/test_rbac_workflow.py

@@ -86,11 +86,15 @@ class TestWorkflowJobTemplateNodeAccess:
 @pytest.mark.django_db
 class TestWorkflowJobAccess:
 
-    def test_wfjt_admin_delete(self, wfjt, workflow_job, rando):
+    def test_org_admin_can_delete_workflow_job(self, workflow_job, org_admin):
-        wfjt.admin_role.members.add(rando)
+        access = WorkflowJobAccess(org_admin)
-        access = WorkflowJobAccess(rando)
         assert access.can_delete(workflow_job)
 
+    def test_wfjt_admin_can_delete_workflow_job(self, workflow_job, rando):
+        workflow_job.workflow_job_template.admin_role.members.add(rando)
+        access = WorkflowJobAccess(rando)
+        assert not access.can_delete(workflow_job)
+
     def test_cancel_your_own_job(self, wfjt, workflow_job, rando):
         wfjt.execute_role.members.add(rando)
         workflow_job.created_by = rando