Add test to check user to team membership

Signed-off-by: Seth Foster <[email protected]>
ansible · May 29, 2024 · 3bc297d · 3bc297d
1 parent e2fab15
commit 3bc297d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 15 deletions.
diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
@@ -1339,10 +1339,12 @@ def post(self, request, *args, **kwargs):
 
         # if content type if organization and DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED is False, throw 403
         if not settings.DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED:
-            org_content_type = ContentType.objects.get_for_model(models.Organization)
-            if role.content_type == org_content_type and role.role_field in ['member_role', 'admin_role']:
-                data = dict(msg=_("You cannot assign user to an organization. Must be done via the platform ingress."))
-                return Response(data, status=status.HTTP_403_FORBIDDEN)
+            org_ct = ContentType.objects.get_for_model(models.Organization)
+            team_ct = ContentType.objects.get_for_model(models.Team)
+            for ct in [org_ct, team_ct]:
+                if role.content_type == ct and role.role_field in ['member_role', 'admin_role']:
+                    data = dict(msg=_(f"Cannot modify user membership to {ct.model}. Must be done via the platform ingress."))
+                    return Response(data, status=status.HTTP_403_FORBIDDEN)
 
         credential_content_type = ContentType.objects.get_for_model(models.Credential)
         if role.content_type == credential_content_type:

diff --git a/awx/main/tests/functional/api/test_immutablesharedfields.py b/awx/main/tests/functional/api/test_immutablesharedfields.py
@@ -1,9 +1,5 @@
 import pytest
 
-from rest_framework.exceptions import PermissionDenied
-from awx.api.views import TeamDetail
-
-from awx.api.views import immutablesharedfields
 from awx.api.versioning import reverse
 from awx.main.models import Organization
 from django.test import override_settings
@@ -52,19 +48,21 @@ def test_perform_update(self, admin_user, patch):
 
     @pytest.mark.parametrize(
         'role',
-        [
-            'admin_role',
-            'member_role',
-        ],
+        ['admin_role', 'member_role'],
     )
-    def test_prevent_assigning_member_to_organization(self, admin_user, post, role):
+    @pytest.mark.parametrize('resource', ['organization', 'team'])
+    def test_prevent_assigning_member_to_organization_or_team(self, admin_user, post, resource, role):
         orgA = Organization.objects.create(name='orgA')
-        role = getattr(orgA, role)
+        if resource == 'organization':
+            role = getattr(orgA, role)
+        elif resource == 'team':
+            teamA = orgA.teams.create(name='teamA')
+            role = getattr(teamA, role)
         with override_settings(DIRECT_SHARED_RESOURCE_MANAGEMENT_ENABLED=False):
             resp = post(
                 url=reverse('api:user_roles_list', kwargs={'pk': admin_user.id}),
                 data={'id': role.id},
                 user=admin_user,
                 expect=403,
             )
-        assert "You cannot assign user to an organization. Must be done via the platform ingress" in resp.data['msg']
+        assert f"Cannot modify user membership to {resource}. Must be done via the platform ingress" in resp.data['msg']