diff --git a/awx/api/permissions.py b/awx/api/permissions.py index 6e1320e2d8..d1f909cd0b 100644 --- a/awx/api/permissions.py +++ b/awx/api/permissions.py @@ -49,6 +49,9 @@ class ModelAccessPermission(permissions.BasePermission): if not check_user_access(request.user, view.parent_model, 'read', parent_obj): return False + if hasattr(view, 'parent_key'): + if not check_user_access(request.user, view.model, 'add', {view.parent_key: parent_obj.pk}): + return False return True elif getattr(view, 'is_job_start', False): if not obj: diff --git a/awx/main/tests/functional/api/test_adding_options.py b/awx/main/tests/functional/api/test_adding_options.py index e03450ac7f..08ecf27a4f 100644 --- a/awx/main/tests/functional/api/test_adding_options.py +++ b/awx/main/tests/functional/api/test_adding_options.py @@ -2,13 +2,21 @@ import pytest from django.core.urlresolvers import reverse -@pytest.fixture -def test_inventory_group_add(inventory, alice, bob, options): - inventory.admin_role.add(alice) - response = options(reverse('api:inventory_detail', args=[inventory.pk]), alice) - print ' resp: ' + str(response.data) - assert 'POST' in response.data +@pytest.mark.django_db +def test_inventory_group_host_can_add(inventory, alice, options): + inventory.admin_role.members.add(alice) - inventory.read_role.add(bob) - - + response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), alice) + assert 'POST' in response.data['actions'] + response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), alice) + assert 'POST' in response.data['actions'] + + +@pytest.mark.django_db +def test_inventory_group_host_can_not_add(inventory, bob, options): + inventory.read_role.members.add(bob) + + response = options(reverse('api:inventory_hosts_list', args=[inventory.pk]), bob) + assert 'POST' not in response.data['actions'] + response = options(reverse('api:inventory_groups_list', args=[inventory.pk]), bob) + assert 'POST' not in response.data['actions']