From 057efd3d5abaae955aa9542565a832bda1955b8d Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Mon, 5 Dec 2016 11:40:26 -0500
Subject: [PATCH] avoid applying system auditor prop if action was association

---
 awx/api/views.py                                  |  2 +-
 .../functional/api/test_create_attach_views.py    | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index dd57f1bf6e..6a1c24bad4 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -768,7 +768,7 @@ class BaseUsersList(SubListCreateAttachDetachAPIView):
     def post(self, request, *args, **kwargs):
         ret = super(BaseUsersList, self).post( request, *args, **kwargs)
         try:
-            if request.data.get('is_system_auditor', False):
+            if ret.data is not None and request.data.get('is_system_auditor', False):
                 # This is a faux-field that just maps to checking the system
                 # auditor role member list.. unfortunately this means we can't
                 # set it on creation, and thus needs to be set here.
diff --git a/awx/main/tests/functional/api/test_create_attach_views.py b/awx/main/tests/functional/api/test_create_attach_views.py
index 48f3aadc7b..b80cb4fa2c 100644
--- a/awx/main/tests/functional/api/test_create_attach_views.py
+++ b/awx/main/tests/functional/api/test_create_attach_views.py
@@ -45,3 +45,18 @@ def test_role_team_view_access(rando, team, inventory, mocker, post):
     mock_access.assert_called_once_with(
         inventory.admin_role, team, 'member_role.parents', data,
         skip_sub_obj_read_check=False)
+
+
+@pytest.mark.django_db
+def test_org_associate_with_junk_data(rando, admin_user, organization, post):
+    """
+    Assure that post-hoc enforcement of auditor role
+    will turn off if the action is an association
+    """
+    user_data = {'is_system_auditor': True, 'id': rando.pk}
+    post(url=reverse('api:organization_users_list', args=(organization.pk,)),
+         data=user_data, expect=204, user=admin_user)
+    # assure user is now an org member
+    assert rando in organization.member_role
+    # assure that this did not also make them a system auditor
+    assert not rando.is_system_auditor