selectively show POST in options for inventory sublists

awx/api/permissions.py

@@ -49,6 +49,9 @@ class ModelAccessPermission(permissions.BasePermission):
             if not check_user_access(request.user, view.parent_model, 'read',
                                      parent_obj):
                 return False
+            if hasattr(view, 'parent_key'):
+                if not check_user_access(request.user, view.model, 'add', {view.parent_key: parent_obj.pk}):
+                    return False
             return True
         elif getattr(view, 'is_job_start', False):
             if not obj:

awx/main/tests/functional/api/test_adding_options.py

@@ -2,13 +2,21 @@ import pytest
 
 from django.core.urlresolvers import reverse
 
-@pytest.fixture
-def test_inventory_group_add(inventory, alice, bob, options):
-    inventory.admin_role.add(alice)
-    response = options(reverse('api:inventory_detail', args=[inventory.pk]), alice)
-    print ' resp: ' + str(response.data)
-    assert 'POST' in response.data
+@pytest.mark.django_db
+def test_inventory_group_host_can_add(inventory, alice, options):
+    inventory.admin_role.members.add(alice)
 
-    inventory.read_role.add(bob)
-    
-    
+    response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), alice)
+    assert 'POST' in response.data['actions']
+    response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), alice)
+    assert 'POST' in response.data['actions']
+
+
+@pytest.mark.django_db
+def test_inventory_group_host_can_not_add(inventory, bob, options):
+    inventory.read_role.members.add(bob)
+
+    response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), bob)
+    assert 'POST' not in response.data['actions']
+    response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), bob)
+    assert 'POST' not in response.data['actions']