Tweak proj rbac for orphaned projects

Slight tweak to the rbac for projects related to the user who created them. IF a user created a project but it is orphaned/not associated with an organization then they will be able to see/change it. If, however, it is created and associated with an organization and then they are removed as an org admin they will no longer have access to it.
2026-01-11 10:00:01 -03:30 · 2015-10-13 16:40:53 -04:00 · 2015-10-13 16:40:53 -04:00 · fd33d7df58
commit fd33d7df58
parent d0888c1bcb
2 changed files with 7 additions and 2 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -673,9 +673,11 @@ class ProjectAccess(BaseAccess):
     - I am on a team associated with the project.
     - I have been explicitly granted permission to run/check jobs using the
       project.
+     - I created the project but it isn't associated with an organization
    I can change/delete when:
     - I am a superuser.
     - I am an admin in an organization associated with the project.
+     - I created the project but it isn't associated with an organization
    '''

    model = Project
@ -686,7 +688,8 @@ class ProjectAccess(BaseAccess):
        if self.user.is_superuser:
            return qs
        team_ids = set(Team.objects.filter(users__in=[self.user]).values_list('id', flat=True))
-        qs = qs.filter(Q(organizations__admins__in=[self.user], organizations__active=True) |
+        qs = qs.filter(Q(created_by=self.user, organizations__isnull=True) |
+                       Q(organizations__admins__in=[self.user], organizations__active=True) |
                       Q(organizations__users__in=[self.user], organizations__active=True) |
                       Q(teams__in=team_ids))
        allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
@ -717,6 +720,8 @@ class ProjectAccess(BaseAccess):
    def can_change(self, obj, data):
        if self.user.is_superuser:
            return True
+        if obj.created_by == self.user and not obj.organizations.filter(active=True).count():
+            return True
        if obj.organizations.filter(active=True, admins__in=[self.user]).exists():
            return True
        return False
--- a/awx/main/tests/projects.py
+++ b/awx/main/tests/projects.py
@ -209,7 +209,7 @@ class ProjectsTest(BaseTransactionTest):
        self.assertEquals(results['count'], 10)
        # org admin
        results = self.get(projects, expect=200, auth=self.get_normal_credentials())
-        self.assertEquals(results['count'], 8)
+        self.assertEquals(results['count'], 9)
        # user on a team
        results = self.get(projects, expect=200, auth=self.get_other_credentials())
        self.assertEquals(results['count'], 5)