From a9da494904d166e7de36f28934e22d92cce4e016 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Mon, 19 Mar 2018 14:41:27 -0400
Subject: [PATCH] switch to single toggle and change name

---
 awx/main/access.py                            | 49 ++++++++++++-------
 awx/main/conf.py                              | 24 +++------
 awx/settings/defaults.py                      |  3 +-
 .../system-form/sub-forms/system-misc.form.js |  5 +-
 4 files changed, 41 insertions(+), 40 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 58a0c42bae..adf7e083bd 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -352,6 +352,9 @@ class BaseAccess(object):
                 # Connot copy manual project without errors
                 user_capabilities[display_method] = False
                 continue
+            elif display_method == 'copy' and (isinstance(obj, Team) or isinstance(obj, User)):
+                user_capabilities[display_method] = False
+                continue
             elif display_method in ['start', 'schedule'] and isinstance(obj, Group):  # TODO: remove in 3.3
                 try:
                     if obj.deprecated_inventory_source and not obj.deprecated_inventory_source._can_update():
@@ -505,9 +508,9 @@ class UserAccess(BaseAccess):
                 return False
         if self.user.is_superuser:
             return True
-        if settings.ORGS_CAN_CREATE_USERS:
-            return Organization.accessible_objects(self.user, 'admin_role').exists()
-        return False
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
+        return Organization.accessible_objects(self.user, 'admin_role').exists()
 
     def can_change(self, obj, data):
         if data is not None and ('is_superuser' in data or 'is_system_auditor' in data):
@@ -519,10 +522,14 @@ class UserAccess(BaseAccess):
         # A user can be changed if they are themselves, or by org admins or
         # superusers.  Change permission implies changing only certain fields
         # that a user should be able to edit for themselves.
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
         return bool(self.user == obj or self.can_admin(obj, data))
 
     @check_superuser
     def can_admin(self, obj, data):
+        if not settings.MANAGE_ORGANIZTION_AUTH:
+            return False
         return Organization.objects.filter(Q(member_role__members=obj) | Q(admin_role__members=obj),
                                            Q(admin_role__members=self.user)).exists()
 
@@ -539,13 +546,19 @@ class UserAccess(BaseAccess):
         return False
 
     def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
-        "Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment."
+        if not settings.MANAGE_ORGANIZTION_AUTH:
+            return False
+
+        # Reverse obj and sub_obj, defer to RoleAccess if this is a role assignment.
         if relationship == 'roles':
             role_access = RoleAccess(self.user)
             return role_access.can_attach(sub_obj, obj, 'members', *args, **kwargs)
         return super(UserAccess, self).can_attach(obj, sub_obj, relationship, *args, **kwargs)
 
     def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if not settings.MANAGE_ORGANIZTION_AUTH:
+            return False
+
         if relationship == 'roles':
             role_access = RoleAccess(self.user)
             return role_access.can_unattach(sub_obj, obj, 'members', *args, **kwargs)
@@ -1080,9 +1093,9 @@ class TeamAccess(BaseAccess):
     def can_add(self, data):
         if not data:  # So the browseable API will work
             return Organization.accessible_objects(self.user, 'admin_role').exists()
-        if settings.ORGS_CAN_ASSIGN_USERS_TEAM:
-            return self.check_related('organization', Organization, data)
-        return False
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
+        return self.check_related('organization', Organization, data)
 
     def can_change(self, obj, data):
         # Prevent moving a team to a different organization.
@@ -1091,6 +1104,8 @@ class TeamAccess(BaseAccess):
             raise PermissionDenied(_('Unable to change organization on a team.'))
         if self.user.is_superuser:
             return True
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
         return self.user in obj.admin_role
 
     def can_delete(self, obj):
@@ -1099,6 +1114,8 @@ class TeamAccess(BaseAccess):
     def can_attach(self, obj, sub_obj, relationship, *args, **kwargs):
         """Reverse obj and sub_obj, defer to RoleAccess if this is an assignment
         of a resource role to the team."""
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
         if isinstance(sub_obj, Role):
             if sub_obj.content_object is None:
                 raise PermissionDenied(_("The {} role cannot be assigned to a team").format(sub_obj.name))
@@ -1111,22 +1128,20 @@ class TeamAccess(BaseAccess):
                                               *args, **kwargs)
         if self.user.is_superuser:
             return True
-
-        if settings.ORGS_CAN_ASSIGN_USERS_TEAM:
-            return super(TeamAccess, self).can_attach(obj, sub_obj, relationship,
-                                                      *args, **kwargs)
-        return False
+        return super(TeamAccess, self).can_attach(obj, sub_obj, relationship,
+                                                  *args, **kwargs)
 
     def can_unattach(self, obj, sub_obj, relationship, *args, **kwargs):
+        if not settings.MANAGE_ORGANIZATION_AUTH:
+            return False
+
         if isinstance(sub_obj, Role):
             if isinstance(sub_obj.content_object, ResourceMixin):
                 role_access = RoleAccess(self.user)
                 return role_access.can_unattach(sub_obj, obj, 'member_role.parents',
                                                 *args, **kwargs)
-        if settings.ORGS_CAN_ASSIGN_USERS_TEAM:
-            return super(TeamAccess, self).can_unattach(obj, sub_obj, relationship,
-                                                        *args, **kwargs)
-        return False
+        return super(TeamAccess, self).can_unattach(obj, sub_obj, relationship,
+                                                    *args, **kwargs)
 
 
 class ProjectAccess(BaseAccess):
@@ -2484,7 +2499,7 @@ class RoleAccess(BaseAccess):
     @check_superuser
     def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
         if isinstance(obj.content_object, Team):
-            if not settings.ORGS_CAN_ASSIGN_USERS_TEAM:
+            if not settings.MANAGE_ORGANIZATION_AUTH:
                 return False
 
         if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents', 'parents']:
diff --git a/awx/main/conf.py b/awx/main/conf.py
index 79aeb5397f..154de417e4 100644
--- a/awx/main/conf.py
+++ b/awx/main/conf.py
@@ -44,24 +44,11 @@ register(
 )
 
 register(
-    'ORGS_CAN_CREATE_USERS',
+    'MANAGE_ORGANIZATION_AUTH',
     field_class=fields.BooleanField,
-    label=_('Organization Admins can create users.'),
-    help_text=_('Enable Organizations to create users. You may want to '
-                'disable this if you populate your users from some external source '
-                'like LDAP or SAML.'),
-    category=_('System'),
-    category_slug='system',
-)
-
-register(
-    'ORGS_CAN_ASSIGN_USERS_TEAM',
-    field_class=fields.BooleanField,
-    label=_('Organization Admins can assign users to teams.'),
-    help_text=_('Enable Organizations to assign users to teams. You may want to '
-                'disable this if you populate your users from some external source '
-                'like LDAP or SAML. This will prevent team assignments for '
-                'Organization and Team admins.'),
+    label=_('Organizations Can Manage Users and Teams'),
+    help_text=_('Controls whether Orgainzations have the privileges to create and manage users and teams. '
+                'You may want to disable this ability if you are using an LDAP or SAML integration.'),
     category=_('System'),
     category_slug='system',
 )
@@ -113,6 +100,7 @@ register(
     category_slug='system',
 )
 
+
 def _load_default_license_from_file():
     try:
         license_file = os.environ.get('AWX_LICENSE_FILE', '/etc/tower/license')
@@ -124,6 +112,7 @@ def _load_default_license_from_file():
         logger.warning('Could not read license from "%s".', license_file, exc_info=True)
     return {}
 
+
 register(
     'LICENSE',
     field_class=fields.DictField,
@@ -505,6 +494,7 @@ register(
     category_slug='logging',
 )
 
+
 def logging_validate(serializer, attrs):
     if not serializer.instance or \
             not hasattr(serializer.instance, 'LOG_AGGREGATOR_HOST') or \
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 77af490dbe..4fdc097c33 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -945,8 +945,7 @@ FACT_CACHE_PORT = 6564
 
 # Note: This setting may be overridden by database settings.
 ORG_ADMINS_CAN_SEE_ALL_USERS = True
-ORGS_CAN_CREATE_USERS = True
-ORGS_CAN_ASSIGN_USERS_TEAM = True
+MANAGE_ORGANIZATION_AUTH = True
 
 # Note: This setting may be overridden by database settings.
 TOWER_ADMIN_ALERTS = True
diff --git a/awx/ui/client/src/configuration/system-form/sub-forms/system-misc.form.js b/awx/ui/client/src/configuration/system-form/sub-forms/system-misc.form.js
index 48f3076a5c..02b71edaec 100644
--- a/awx/ui/client/src/configuration/system-form/sub-forms/system-misc.form.js
+++ b/awx/ui/client/src/configuration/system-form/sub-forms/system-misc.form.js
@@ -21,10 +21,7 @@ export default ['i18n', function(i18n) {
             ORG_ADMINS_CAN_SEE_ALL_USERS: {
                 type: 'toggleSwitch',
             },
-            ORGS_CAN_CREATE_USERS: {
-                type: 'toggleSwitch',
-            },
-            ORGS_CAN_ASSIGN_USERS_TEAM: {
+            MANAGE_ORGANIZATION_AUTH: {
                 type: 'toggleSwitch',
             },
             SESSION_COOKIE_AGE: {