diff --git a/awx/main/access.py b/awx/main/access.py index e513a69772..15af5b2ff9 100644 --- a/awx/main/access.py +++ b/awx/main/access.py @@ -1369,14 +1369,15 @@ class NotificationTemplateAccess(BaseAccess): @check_superuser def can_change(self, obj, data): + if obj.organization is None: + # only superusers are allowed to edit orphan notification templates + return False org_pk = get_pk_from_dict(data, 'organization') if obj and org_pk and obj.organization.pk != org_pk: org = get_object_or_400(Organization, pk=org_pk) if self.user not in org.admin_role: return False - if obj.organization is not None: - return self.user in obj.organization.admin_role - return False + return self.user in obj.organization.admin_role def can_admin(self, obj, data): return self.can_change(obj, data) diff --git a/awx/main/tests/functional/test_rbac_notifications.py b/awx/main/tests/functional/test_rbac_notifications.py index 9cabec6fbf..35cbd43814 100644 --- a/awx/main/tests/functional/test_rbac_notifications.py +++ b/awx/main/tests/functional/test_rbac_notifications.py @@ -75,3 +75,9 @@ def test_notification_template_access_org_user(notification_template, user): assert not access.can_read(notification_template) assert not access.can_change(notification_template, None) assert not access.can_delete(notification_template) + +@pytest.mark.django_db +def test_notificaiton_template_orphan_access_org_admin(notification_template, organization, org_admin): + notification_template.organization = None + access = NotificationTemplateAccess(org_admin) + assert not access.can_change(notification_template, {'organization': organization.id})