Deprecated Team.projects and Project.teams relations, switching to using RBAC

awx/main/migrations/0007_v300_rbac_changes.py

@@ -33,6 +33,11 @@ class Migration(migrations.Migration):
             'users',
             'deprecated_users',
         ),
+        migrations.RenameField(
+            'Team',
+            'projects',
+            'deprecated_projects',
+        ),
 
         migrations.CreateModel(
             name='Role',

awx/main/migrations/_old_access.py

@@ -208,7 +208,7 @@ class UserAccess(BaseAccess):
             Q(pk=self.user.pk) |
             Q(organizations__in=self.user.deprecated_admin_of_organizations) |
             Q(organizations__in=self.user.deprecated_organizations) |
-            Q(teams__in=self.user.teams)
+            Q(deprecated_teams__in=self.user.deprecated_teams)
         ).distinct()
 
     def can_add(self, data):
@@ -690,7 +690,7 @@ class ProjectAccess(BaseAccess):
         qs = qs.filter(Q(created_by=self.user, deprecated_organizations__isnull=True) |
                        Q(deprecated_organizations__deprecated_admins__in=[self.user]) |
                        Q(deprecated_organizations__deprecated_users__in=[self.user]) |
-                       Q(teams__in=team_ids))
+                       Q(deprecated_teams__in=team_ids))
         allowed_deploy = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY]
         allowed_check = [PERM_JOBTEMPLATE_CREATE, PERM_INVENTORY_DEPLOY, PERM_INVENTORY_CHECK]
 

awx/main/migrations/_rbac.py

@@ -265,7 +265,7 @@ def migrate_projects(apps, schema_editor):
             project.admin_role.members.add(project.created_by)
             migrations[project.name]['users'].add(project.created_by)
 
-        for team in project.teams.all():
+        for team in project.deprecated_teams.all():
             team.member_role.children.add(project.member_role)
             migrations[project.name]['teams'].add(team)
 

awx/main/models/organization.py

@@ -103,10 +103,10 @@ class Team(CommonModelNameNotUnique, ResourceMixin):
         on_delete=models.SET_NULL,
         related_name='teams',
     )
-    projects = models.ManyToManyField(
+    deprecated_projects = models.ManyToManyField(
         'Project',
         blank=True,
-        related_name='teams',
+        related_name='deprecated_teams',
     )
     admin_role = ImplicitRoleField(
         role_name='Team Administrator',

awx/main/models/projects.py

@@ -225,7 +225,6 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
         role_description='May manage this project',
         parent_role=[
             'organization.admin_role',
-            'teams.member_role',
             'singleton:' + ROLE_SINGLETON_SYSTEM_ADMINISTRATOR,
         ],
         permissions = {'all': True}

awx/main/tests/functional/test_rbac_core.py

@@ -241,20 +241,3 @@ def test_auto_parenting():
     assert org2.admin_role.is_ancestor_of(prj1.admin_role)
     assert org2.admin_role.is_ancestor_of(prj2.admin_role)
 
-@pytest.mark.django_db
-def test_auto_m2m_parenting(team, project, user):
-    u = user('some-user')
-    team.member_role.members.add(u)
-
-    assert project.accessible_by(u, {'read': True}) is False
-
-    project.teams.add(team)
-    assert project.accessible_by(u, {'read': True})
-    project.teams.remove(team)
-    assert project.accessible_by(u, {'read': True}) is False
-
-    team.projects.add(project)
-    assert project.accessible_by(u, {'read': True})
-    team.projects.remove(project)
-    assert project.accessible_by(u, {'read': True}) is False
-

awx/main/tests/functional/test_rbac_project.py

@@ -147,7 +147,7 @@ def test_project_team(user, team, project):
     member = user('member')
 
     team.deprecated_users.add(member)
-    project.teams.add(team)
+    project.deprecated_teams.add(team)
 
     assert project.accessible_by(nonmember, {'read': True}) is False
     assert project.accessible_by(member, {'read': True}) is False