added more tests to verify fix

awx/main/access.py

@@ -1629,18 +1629,18 @@ def can_change(self, obj, data):
             return True
 
         data = dict(data)
-
         if self.changes_are_non_sensitive(obj, data):
             return True
-
         if not self.check_related('execution_environment', ExecutionEnvironment, data, obj=obj, role_field='read_role'):
             return False
-
         for required_field, cls in (('inventory', Inventory), ('project', Project)):
             is_mandatory = True
             if not getattr(obj, '{}_id'.format(required_field)):
                 is_mandatory = False
             if not self.check_related(required_field, cls, data, obj=obj, role_field='use_role', mandatory=is_mandatory):
+                if required_field in data:
+                    new_obj = get_object_from_data(required_field, cls, data)
+                    return self.user in new_obj.use_role and (self.user in obj.inventory.use_role or self.user in obj.project.use_role)
                 return False
         return True
 

awx/main/tests/functional/test_rbac_job_templates.py

@@ -328,3 +328,50 @@ def test_inventory_read_transfer_indirect(self, patch):
         inv.save(update_fields=['organization'])
         assert admins[0] not in jt.read_role
         assert admins[1] in jt.read_role
+
+
+@pytest.mark.django_db
+def test_job_template_mixed_permission(rando, bob, project, inventory):
+    """The job template permissions are a bit tricky when it comes to jt admin and use permissions on related objects
+    This test tries to test different variation of use permissions
+    """
+    # Create new inventory and projects to associate
+    job_template = JobTemplate.objects.create(name='test-jt', project=project, playbook='helloworld.yml', inventory=inventory, ask_credential_on_launch=True)
+    access = JobTemplateAccess(rando)
+    inv1 = Inventory.objects.create(name='test', organization=project.organization)
+    proj1 = Project.objects.create(name='new_proj', scm_type=project.scm_type, playbook_files=project.playbook_files, organization=project.organization)
+    proj2 = Project.objects.create(name='proj2', scm_type=project.scm_type, playbook_files=project.playbook_files, organization=project.organization)
+
+    assert not access.can_change(job_template, {'project': proj1.pk})
+    assert not access.can_change(job_template, {'inventory': inv1.pk})
+
+    # assign permissions to new project to associate and existing job template admin and inv use
+    proj1.use_role.members.add(rando)
+    job_template.admin_role.members.add(rando)
+    job_template.inventory.use_role.members.add(rando)
+
+    assert not access.can_change(job_template, {'inventory': inv1.pk})
+    assert access.can_change(job_template, {'project': proj1.pk})
+
+    # remove use perm on inventory and add use to associated project
+    job_template.inventory.use_role.members.remove(rando)
+    job_template.project.use_role.members.add(rando)
+    proj1.use_role.members.remove(rando)
+    inv1.use_role.members.add(rando)
+
+    assert not access.can_change(job_template, {'project': proj2.pk})
+    assert access.can_change(job_template, {'project': project.pk})
+    assert access.can_change(job_template, {'inventory': inv1.pk})
+
+    # remove project and inventory permission
+    job_template.project.use_role.members.remove(rando)
+    job_template.update_fields(project=project)
+    job_template.inventory.use_role.members.remove(rando)
+
+    assert not access.can_change(job_template, {'project': proj1.pk})
+    assert not access.can_change(job_template, {'inventory': inv1.pk})
+
+    jt = JobTemplate.objects.create(name='test-jt', project=project, playbook='helloworld.yml', inventory=inventory, ask_credential_on_launch=True)
+    jt.admin_role.members.add(bob)
+    assert not access.can_change(jt, {'project': proj1.pk})
+    assert not access.can_change(jt, {'inventory': inv1.pk})