Remove the created_by access ability for projects

Now, simply being the creator of a project does not convey any access
for users.  You must be in a project/team that has access to it and you
must be an org admin for an org that has the project to be able to make
changes to it

awx/main/access.py

@@ -673,23 +673,20 @@ class ProjectAccess(BaseAccess):
      - I am on a team associated with the project.
      - I have been explicitly granted permission to run/check jobs using the
        project.
-     - I created it (for now?).
     I can change/delete when:
      - I am a superuser.
      - I am an admin in an organization associated with the project.
-     - I created it (for now?).
     '''
 
     model = Project
 
     def get_queryset(self):
         qs = Project.objects.filter(active=True).distinct()
-        qs = qs.select_related('created_by', 'modified_by', 'credential', 'current_update', 'last_update')
+        qs = qs.select_related('modified_by', 'credential', 'current_update', 'last_update')
         if self.user.is_superuser:
             return qs
         team_ids = set(Team.objects.filter(users__in=[self.user]).values_list('id', flat=True))
-        qs = qs.filter(Q(created_by=self.user) |
+        qs = qs.filter(Q(organizations__admins__in=[self.user], organizations__active=True) |
-                       Q(organizations__admins__in=[self.user], organizations__active=True) |
                        Q(organizations__users__in=[self.user], organizations__active=True) |
                        Q(teams__in=team_ids))
         allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
@@ -720,8 +717,6 @@ class ProjectAccess(BaseAccess):
     def can_change(self, obj, data):
         if self.user.is_superuser:
             return True
-        if obj.created_by == self.user:
-            return True
         if obj.organizations.filter(active=True, admins__in=[self.user]).exists():
             return True
         return False

awx/main/tests/projects.py

@@ -205,11 +205,13 @@ class ProjectsTest(BaseTransactionTest):
         self.get(projects, expect=401)
         self.get(projects, expect=401, auth=self.get_invalid_credentials())
         # super user
+        import pdb
+        pdb.set_trace()
         results = self.get(projects, expect=200, auth=self.get_super_credentials())
         self.assertEquals(results['count'], 10)
         # org admin
         results = self.get(projects, expect=200, auth=self.get_normal_credentials())
-        self.assertEquals(results['count'], 10)
+        self.assertEquals(results['count'], 8)
         # user on a team
         results = self.get(projects, expect=200, auth=self.get_other_credentials())
         self.assertEquals(results['count'], 5)
@@ -300,6 +302,17 @@ class ProjectsTest(BaseTransactionTest):
         got = self.get(proj_orgs, expect=200, auth=self.get_super_credentials())
         self.assertEquals(got['count'], 2)
 
+        # Verify that creatorship doesn't imply access if access is removed
+        a_new_proj = self.make_project(created_by=self.other_django_user, playbook_content=TEST_PLAYBOOK)
+        self.organizations[0].admins.add(self.other_django_user)
+        self.organizations[0].projects.add(a_new_proj)
+        proj_detail = reverse('api:project_detail', args=(a_new_proj.pk,))
+        self.patch(proj_detail, data=dict(description="test"), expect=200, auth=self.get_other_credentials())
+        self.organizations[0].admins.remove(self.other_django_user)
+        self.patch(proj_detail, data=dict(description="test_now"), expect=403, auth=self.get_other_credentials())
+        self.delete(proj_detail, expect=403, auth=self.get_other_credentials())
+        a_new_proj.delete()
+
         # =====================================================================
         # TEAMS