Check the permissions for adding users to orgs/teams in the other direction

awx/main/tests/functional/test_rbac_organization.py

@@ -36,3 +36,15 @@ def test_organization_access_user(cl, organization, user):
     org = access.get_queryset()[0]
     assert len(org.admin_role.members.all()) == 0
     assert len(org.member_role.members.all()) == 1
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('ext_auth', [True, False])
+def test_org_resource_role(ext_auth, organization, rando, org_admin):
+    with mock.patch('awx.main.access.settings') as settings_mock:
+        settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
+        access = OrganizationAccess(org_admin)
+
+        assert access.can_attach(organization, rando, 'member_role.members') == ext_auth
+        organization.member_role.members.add(rando)
+        assert access.can_unattach(organization, rando, 'member_role.members') == ext_auth

awx/main/tests/functional/test_rbac_team.py

@@ -21,7 +21,21 @@ def test_team_attach_unattach(team, user):
     u2 = user('non-member', False)
     access = TeamAccess(u2)
     assert not access.can_attach(team, team.member_role, 'member_role.children', None)
-    assert not access.can_unattach(team, team.member_role, 'member_role.chidlren')
+    assert not access.can_unattach(team, team.member_role, 'member_role.children')
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize('ext_auth', [True, False])
+def test_team_org_resource_role(ext_auth, team, user, rando):
+    with mock.patch('awx.main.access.settings') as settings_mock:
+        settings_mock.MANAGE_ORGANIZATION_AUTH = ext_auth
+        u = user('member', False)
+        team.organization.admin_role.members.add(u)
+        access = TeamAccess(u)
+
+        assert access.can_attach(team, rando, 'member_role.members') == ext_auth
+        team.member_role.members.add(rando)
+        assert access.can_unattach(team, rando, 'member_role.members') == ext_auth
 
 
 @pytest.mark.django_db