Merge pull request #93 from jangsutsr/7321_prevent_unprivileged_user_from_deleting_is

Prevent unprivileged users from deleting inventory sources

awx/main/access.py

@@ -795,7 +795,8 @@ class InventorySourceAccess(BaseAccess):
                 update_on_project_update=True, source='scm').exists())
 
     def can_delete(self, obj):
-        if not (self.user.is_superuser or not (obj and obj.inventory and self.user.can_access(Inventory, 'admin', obj.inventory, None))):
+        if not self.user.is_superuser and \
+                not (obj and obj.inventory and self.user.can_access(Inventory, 'admin', obj.inventory, None)):
             return False
         active_jobs_qs = InventoryUpdate.objects.filter(inventory_source=obj, status__in=ACTIVE_STATES)
         if active_jobs_qs.exists():

awx/main/tests/functional/test_rbac_inventory.py

@@ -93,6 +93,20 @@ def test_inventory_update_org_admin(inventory_update, org_admin):
     assert access.can_delete(inventory_update)
 
 
+@pytest.mark.parametrize("role_field,allowed", [
+    (None, False),
+    ('admin_role', True),
+    ('update_role', False),
+    ('adhoc_role', False),
+    ('use_role', False)
+])
+@pytest.mark.django_db
+def test_inventory_source_delete(inventory_source, alice, role_field, allowed):
+    if role_field:
+        getattr(inventory_source.inventory, role_field).members.add(alice)
+    assert allowed == InventorySourceAccess(alice).can_delete(inventory_source), '{} test failed'.format(role_field)
+
+
 # See companion test in tests/functional/api/test_inventory.py::test_inventory_update_access_called
 @pytest.mark.parametrize("role_field,allowed", [
     (None, False),