do not allow membership changes to User.admin_role

awx/api/views.py

@@ -1208,7 +1208,12 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
         if sub_id == self.request.user.admin_role.pk:
-            raise PermissionDenied('You may not remove your own admin_role.')
+            raise PermissionDenied('You may not perform any action with your own admin_role.')
+
+        role = get_object_or_404(Role, pk=sub_id)
+        user_content_type = ContentType.objects.get_for_model(User)
+        if role.content_type == user_content_type:
+            raise PermissionDenied('You may not change the membership of a users admin_role')
 
         return super(UserRolesList, self).post(request, *args, **kwargs)
 

awx/main/tests/functional/api/test_user.py

@@ -66,3 +66,13 @@ def test_create_delete_create_user(post, delete, admin):
     }, admin)
     print(response.data)
     assert response.status_code == 201
+
+@pytest.mark.django_db
+def test_add_user_admin_role_member(post, user):
+    admin = user('admin', is_superuser=True)
+    normal = user('normal')
+
+    url = reverse('api:user_roles_list', args=(admin.pk,))
+    response = post(url, {'id':normal.admin_role.pk}, admin)
+    assert response.status_code == 403
+    assert 'not change membership' in response.rendered_content