From fd33d7df58d7056bba8e2ec5a4da4db63959ff00 Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Tue, 13 Oct 2015 16:40:53 -0400
Subject: [PATCH] Tweak proj rbac for orphaned projects

Slight tweak to the rbac for projects related to the user who created
them.  IF a user created a project but it is orphaned/not associated
with an organization then they will be able to see/change it.  If,
however, it is created and associated with an organization and then they
are removed as an org admin they will no longer have access to it.
---
 awx/main/access.py         | 7 ++++++-
 awx/main/tests/projects.py | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 4ae84f233a..ccac7c3163 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -673,9 +673,11 @@ class ProjectAccess(BaseAccess):
      - I am on a team associated with the project.
      - I have been explicitly granted permission to run/check jobs using the
        project.
+     - I created the project but it isn't associated with an organization
     I can change/delete when:
      - I am a superuser.
      - I am an admin in an organization associated with the project.
+     - I created the project but it isn't associated with an organization
     '''
 
     model = Project
@@ -686,7 +688,8 @@ class ProjectAccess(BaseAccess):
         if self.user.is_superuser:
             return qs
         team_ids = set(Team.objects.filter(users__in=[self.user]).values_list('id', flat=True))
-        qs = qs.filter(Q(organizations__admins__in=[self.user], organizations__active=True) |
+        qs = qs.filter(Q(created_by=self.user, organizations__isnull=True) |
+                       Q(organizations__admins__in=[self.user], organizations__active=True) |
                        Q(organizations__users__in=[self.user], organizations__active=True) |
                        Q(teams__in=team_ids))
         allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
@@ -717,6 +720,8 @@ class ProjectAccess(BaseAccess):
     def can_change(self, obj, data):
         if self.user.is_superuser:
             return True
+        if obj.created_by == self.user and not obj.organizations.filter(active=True).count():
+            return True
         if obj.organizations.filter(active=True, admins__in=[self.user]).exists():
             return True
         return False
diff --git a/awx/main/tests/projects.py b/awx/main/tests/projects.py
index ebd8636c36..f698267a0c 100644
--- a/awx/main/tests/projects.py
+++ b/awx/main/tests/projects.py
@@ -209,7 +209,7 @@ class ProjectsTest(BaseTransactionTest):
         self.assertEquals(results['count'], 10)
         # org admin
         results = self.get(projects, expect=200, auth=self.get_normal_credentials())
-        self.assertEquals(results['count'], 8)
+        self.assertEquals(results['count'], 9)
         # user on a team
         results = self.get(projects, expect=200, auth=self.get_other_credentials())
         self.assertEquals(results['count'], 5)