AlanCoding/related_rbac_simplification.diff

## related_rbac_simplification.diff
diff --git a/awx/main/access.py b/awx/main/access.py
index 34008d47c6..b9e671018b 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -306,7 +306,7 @@ class BaseAccess(object):
          - creating a new resource, user must have permission if
            resource is specified in `data`
          - editing an existing resource, user must have permission to resource
-           in `data`, as well as existing related resource on `obj`
+           in `data`

         If `mandatory` is set, new resources require the field and
                                existing field will always be checked
@@ -1628,66 +1628,13 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
         if data is None:
             return True

-        data = dict(data)
-        if self.changes_are_non_sensitive(obj, data):
-            return True
-        if not self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'):
-            return False
-        for required_field, cls in (('inventory', Inventory), ('project', Project)):
-            is_mandatory = True
-            if not getattr(obj, '{}_id'.format(required_field)):
-                is_mandatory = False
-            if not self.check_related(required_field, cls, data, obj=obj, role_field='use_role', mandatory=is_mandatory):
-                if required_field in data:
-                    new_obj = get_object_from_data(required_field, cls, data)
-                    return self.user in new_obj.use_role and (self.user in obj.inventory.use_role or self.user in obj.project.use_role)
-                return False
-        return True
-
-    def changes_are_non_sensitive(self, obj, data):
-        """
-        Return true if the changes being made are considered nonsensitive, and
-        thus can be made by a job template administrator which may not have access
-        to the any inventory, project, or credentials associated with the template.
-        """
-        allowed_fields = [
-            'name',
-            'description',
-            'forks',
-            'limit',
-            'verbosity',
-            'extra_vars',
-            'job_tags',
-            'force_handlers',
-            'skip_tags',
-            'ask_variables_on_launch',
-            'ask_tags_on_launch',
-            'ask_job_type_on_launch',
-            'ask_skip_tags_on_launch',
-            'ask_inventory_on_launch',
-            'ask_credential_on_launch',
-            'survey_enabled',
-            'custom_virtualenv',
-            'diff_mode',
-            'timeout',
-            'job_slice_count',
-            # These fields are ignored, but it is convenient for QA to allow clients to post them
-            'last_job_run',
-            'created',
-            'modified',
-        ]
-
-        for k, v in data.items():
-            if k not in [x.name for x in obj._meta.concrete_fields]:
-                continue
-            if hasattr(obj, k) and getattr(obj, k) != v:
-                if (
-                    k not in allowed_fields
-                    and v != getattr(obj, '%s_id' % k, None)
-                    and not (hasattr(obj, '%s_id' % k) and getattr(obj, '%s_id' % k) is None and v == '')
-                ):  # Equate '' to None in the case of foreign keys
-                    return False
-        return True
+        return all(
+            [
+                self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'),
+                self.check_related('inventory', Inventory, data, obj=obj, role_field='use_role'),
+                self.check_related('project', Project, data, obj=obj, role_field='use_role'),
+            ]
+        )

     def can_delete(self, obj):
         return self.user.is_superuser or self.user in obj.admin_role
	diff --git a/awx/main/access.py b/awx/main/access.py
	index 34008d47c6..b9e671018b 100644
	--- a/awx/main/access.py
	+++ b/awx/main/access.py
	@@ -306,7 +306,7 @@ class BaseAccess(object):
	- creating a new resource, user must have permission if
	resource is specified in `data`
	- editing an existing resource, user must have permission to resource
	- in `data`, as well as existing related resource on `obj`
	+ in `data`

	If `mandatory` is set, new resources require the field and
	existing field will always be checked
	@@ -1628,66 +1628,13 @@ class JobTemplateAccess(NotificationAttachMixin, UnifiedCredentialsMixin, BaseAc
	if data is None:
	return True

	- data = dict(data)
	- if self.changes_are_non_sensitive(obj, data):
	- return True
	- if not self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'):
	- return False
	- for required_field, cls in (('inventory', Inventory), ('project', Project)):
	- is_mandatory = True
	- if not getattr(obj, '{}_id'.format(required_field)):
	- is_mandatory = False
	- if not self.check_related(required_field, cls, data, obj=obj, role_field='use_role', mandatory=is_mandatory):
	- if required_field in data:
	- new_obj = get_object_from_data(required_field, cls, data)
	- return self.user in new_obj.use_role and (self.user in obj.inventory.use_role or self.user in obj.project.use_role)
	- return False
	- return True
	-
	- def changes_are_non_sensitive(self, obj, data):
	- """
	- Return true if the changes being made are considered nonsensitive, and
	- thus can be made by a job template administrator which may not have access
	- to the any inventory, project, or credentials associated with the template.
	- """
	- allowed_fields = [
	- 'name',
	- 'description',
	- 'forks',
	- 'limit',
	- 'verbosity',
	- 'extra_vars',
	- 'job_tags',
	- 'force_handlers',
	- 'skip_tags',
	- 'ask_variables_on_launch',
	- 'ask_tags_on_launch',
	- 'ask_job_type_on_launch',
	- 'ask_skip_tags_on_launch',
	- 'ask_inventory_on_launch',
	- 'ask_credential_on_launch',
	- 'survey_enabled',
	- 'custom_virtualenv',
	- 'diff_mode',
	- 'timeout',
	- 'job_slice_count',
	- # These fields are ignored, but it is convenient for QA to allow clients to post them
	- 'last_job_run',
	- 'created',
	- 'modified',
	- ]
	-
	- for k, v in data.items():
	- if k not in [x.name for x in obj._meta.concrete_fields]:
	- continue
	- if hasattr(obj, k) and getattr(obj, k) != v:
	- if (
	- k not in allowed_fields
	- and v != getattr(obj, '%s_id' % k, None)
	- and not (hasattr(obj, '%s_id' % k) and getattr(obj, '%s_id' % k) is None and v == '')
	- ): # Equate '' to None in the case of foreign keys
	- return False
	- return True
	+ return all(
	+ [
	+ self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'),
	+ self.check_related('inventory', Inventory, data, obj=obj, role_field='use_role'),
	+ self.check_related('project', Project, data, obj=obj, role_field='use_role'),
	+ ]
	+ )

	def can_delete(self, obj):
	return self.user.is_superuser or self.user in obj.admin_role