From fc9695208416924e99ed08ccc0006764696be042 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 20 Jul 2016 10:21:38 -0400
Subject: [PATCH] orphan project protection in job delete access

---
 awx/main/access.py                         | 3 ++-
 awx/main/tests/functional/test_rbac_job.py | 6 ++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index d3f8e50990..0d09c57f5e 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1081,7 +1081,8 @@ class JobAccess(BaseAccess):
     def can_delete(self, obj):
         if obj.inventory is not None and self.user in obj.inventory.organization.admin_role:
             return True
-        if obj.project is not None and self.user in obj.project.organization.admin_role:
+        if (obj.project is not None and obj.project.organization is not None and
+                self.user in obj.project.organization.admin_role):
             return True
         return False
 
diff --git a/awx/main/tests/functional/test_rbac_job.py b/awx/main/tests/functional/test_rbac_job.py
index f1688b7046..febade67eb 100644
--- a/awx/main/tests/functional/test_rbac_job.py
+++ b/awx/main/tests/functional/test_rbac_job.py
@@ -92,6 +92,12 @@ def test_null_related_delete_denied(normal_job, rando):
     access = JobAccess(rando)
     assert not access.can_delete(normal_job)
 
+@pytest.mark.django_db
+def test_delete_job_with_orphan_proj(normal_job, rando):
+    normal_job.project.organization = None
+    access = JobAccess(rando)
+    assert not access.can_delete(normal_job)
+
 @pytest.mark.django_db
 def test_inventory_org_admin_delete_allowed(normal_job, org_admin):
     normal_job.project = None # do this so we test job->inventory->org->admin connection