From 5dbce56beb2502c31f8dd233a5db549d5ae7c465 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Tue, 24 May 2016 12:42:51 -0400
Subject: [PATCH] When migrating, grant read_role instead of use_role
 appropriately

Only give read access to folks that didn't have explicit permissions to
use a project in a job template before.
---
 awx/main/migrations/_rbac.py | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

diff --git a/awx/main/migrations/_rbac.py b/awx/main/migrations/_rbac.py
index e16b3575d3..4429453b2c 100644
--- a/awx/main/migrations/_rbac.py
+++ b/awx/main/migrations/_rbac.py
@@ -215,11 +215,11 @@ def migrate_inventory(apps, schema_editor):
     Inventory = apps.get_model('main', 'Inventory')
     Permission = apps.get_model('main', 'Permission')
 
-    def role_from_permission():
+    def role_from_permission(perm):
         if perm.permission_type == 'admin':
             return inventory.admin_role
         elif perm.permission_type == 'read':
-            return inventory.read_role
+            return inventory.use_role
         elif perm.permission_type == 'write':
             return inventory.update_role
         elif perm.permission_type == 'check' or perm.permission_type == 'run' or perm.permission_type == 'create':
@@ -233,7 +233,7 @@ def migrate_inventory(apps, schema_editor):
             role = None
             execrole = None
 
-            role = role_from_permission()
+            role = role_from_permission(perm)
             if role is None:
                 raise Exception(smart_text(u'Unhandled permission type for inventory: {}'.format( perm.permission_type)))
 
@@ -320,24 +320,30 @@ def migrate_projects(apps, schema_editor):
             logger.warn(smart_text(u'adding Project({}) admin: {}'.format(project.name, project.created_by.username)))
 
         for team in project.deprecated_teams.all():
-            team.member_role.children.add(project.use_role)
+            team.member_role.children.add(project.read_role)
             logger.info(smart_text(u'adding Team({}) access for Project({})'.format(team.name, project.name)))
 
-        if project.organization is not None:
-            for user in project.organization.deprecated_users.all():
-                project.use_role.members.add(user)
-                logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name)))
-
         for perm in Permission.objects.filter(project=project):
-            # All perms at this level just imply a user or team can read
+            if perm.permission_type == 'create':
+                role = project.use_role
+            else:
+                role = project.read_role
+
             if perm.team:
-                perm.team.member_role.children.add(project.use_role)
+                perm.team.member_role.children.add(role)
                 logger.info(smart_text(u'adding Team({}) access for Project({})'.format(perm.team.name, project.name)))
 
             if perm.user:
-                project.use_role.members.add(perm.user)
+                role.members.add(perm.user)
                 logger.info(smart_text(u'adding User({}) access for Project({})'.format(perm.user.username, project.name)))
 
+        if project.organization is not None:
+            for user in project.organization.deprecated_users.all():
+                if not (project.use_role.members.filter(pk=user.id).exists() or project.admin_role.members.filter(pk=user.id).exists()):
+                    project.read_role.members.add(user)
+                    logger.info(smart_text(u'adding Organization({}) member access to Project({})'.format(project.organization.name, project.name)))
+
+
 
 @log_migration
 def migrate_job_templates(apps, schema_editor):