RoleAccess.can_unattach ensures you have read access member

2026-03-06 19:21:06 -03:30 · 2016-06-24 16:55:50 -04:00
parent 87ffded774
commit 089065bed1
1 changed files with 4 additions and 0 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1598,6 +1598,10 @@ class RoleAccess(BaseAccess):

    @check_superuser
    def can_unattach(self, obj, sub_obj, relationship):
+        if relationship == 'members':
+            if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
+                return False
+
        if obj.object_id and \
           isinstance(obj.content_object, ResourceMixin) and \
           self.user in obj.content_object.admin_role: