updates for job can_delete

awx/main/access.py

@@ -828,6 +828,16 @@ class JobTemplateAccess(BaseAccess):
         return self.user in obj.admin_role
 
 class JobAccess(BaseAccess):
+    '''
+    I can see jobs when:
+     - I am a superuser.
+     - I can see its job template
+     - I am an admin or auditor of the organization which contains its inventory
+     - I am an admin or auditor of the organization which contains its project
+    I can delete jobs when:
+     - I am an admin of the organization which contains its inventory
+     - I am an admin of the organization which contains its project
+    '''
 
     model = Job
 
@@ -848,14 +858,10 @@ class JobAccess(BaseAccess):
         if not org_access_qs.exists():
             return qs_jt
 
-        qs_scan_orphan = qs.filter(
-            job_type=PERM_INVENTORY_SCAN,
-            inventory__organization__in=org_access_qs
-        )
-        qs_orphan = qs.filter(
-            project__organization__in=org_access_qs
-        ).exclude(job_type=PERM_INVENTORY_SCAN)
-        return (qs_jt | qs_orphan | qs_scan_orphan).distinct()
+        return qs.filter(
+            Q(job_template__in=JobTemplate.accessible_objects(self.user, 'read_role')) |
+            Q(inventory__organization__in=org_access_qs) |
+            Q(project__organization__in=org_access_qs)).distinct()
 
     def can_add(self, data):
         if not data or '_method' in data:  # So the browseable API will work?
@@ -885,7 +891,11 @@ class JobAccess(BaseAccess):
 
     @check_superuser
     def can_delete(self, obj):
-        return self.user in obj.inventory.admin_role
+        if obj.inventory is not None and self.user in obj.inventory.organization.admin_role:
+            return True
+        if obj.project is not None and self.user in obj.project.organization.admin_role:
+            return True
+        return False
 
     def can_start(self, obj):
         self.check_license()