From 945635eb70d8cefadc97218981fb95d1465e08ab Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 27 Jul 2016 16:54:50 -0400
Subject: [PATCH] also limit creation of system auditors to superusers

squash
---
 awx/main/access.py                          | 10 ++++++----
 awx/main/tests/functional/test_rbac_user.py | 13 +++++++++++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index c109e5d449..d8fe5b245b 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -245,16 +245,18 @@ class UserAccess(BaseAccess):
 
 
     def can_add(self, data):
-        if data is not None and 'is_superuser' in data:
-            if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
+        if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
+            if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
+                    to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
                 return False
         if self.user.is_superuser:
             return True
         return Organization.accessible_objects(self.user, 'admin_role').exists()
 
     def can_change(self, obj, data):
-        if data is not None and 'is_superuser' in data:
-            if to_python_boolean(data['is_superuser'], allow_none=True) and not self.user.is_superuser:
+        if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
+            if (to_python_boolean(data.get('is_superuser', 'false'), allow_none=True) or
+                    to_python_boolean(data.get('is_system_auditor', 'false'), allow_none=True)) and not self.user.is_superuser:
                 return False
         # A user can be changed if they are themselves, or by org admins or
         # superusers.  Change permission implies changing only certain fields
diff --git a/awx/main/tests/functional/test_rbac_user.py b/awx/main/tests/functional/test_rbac_user.py
index c5959a2c32..de2b9aa8b1 100644
--- a/awx/main/tests/functional/test_rbac_user.py
+++ b/awx/main/tests/functional/test_rbac_user.py
@@ -75,3 +75,16 @@ def test_org_user_removed(user, organization):
 
     organization.member_role.members.remove(member)
     assert admin not in member.admin_role
+
+@pytest.mark.django_db
+def test_org_admin_create_sys_auditor(org_admin):
+    access = UserAccess(org_admin)
+    assert not access.can_add(data=dict(
+        username='new_user', password="pa$$sowrd", email="asdf@redhat.com",
+        is_system_auditor='true'))
+
+@pytest.mark.django_db
+def test_org_admin_edit_sys_auditor(org_admin, alice, organization):
+    organization.member_role.members.add(alice)
+    access = UserAccess(org_admin)
+    assert not access.can_change(obj=alice, data=dict(is_system_auditor='true'))