From f6f555b1856fc723ae1e801f3f625bc969617c29 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Mon, 2 May 2016 15:49:59 -0400 Subject: [PATCH] Prevent organization changes for teams In old_access.py we restricted even super users from doing this. I'm not sure that it'd actually break anything to allow this, but I'm making the new access.py behave like old_access.py for good measure until we have a valid usecase for this. --- awx/main/access.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/awx/main/access.py b/awx/main/access.py index aefb6934a6..3b68d9e781 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -631,12 +631,13 @@ class TeamAccess(BaseAccess): return True return False - @check_superuser def can_change(self, obj, data): # Prevent moving a team to a different organization. org_pk = get_pk_from_dict(data, 'organization') if obj and org_pk and obj.organization.pk != org_pk: raise PermissionDenied('Unable to change organization on a team') + if self.user.is_superuser: + return True return self.user in obj.admin_role def can_delete(self, obj):