From 089065bed197883f73521ee79c57f8192174f5c1 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 24 Jun 2016 16:55:50 -0400
Subject: [PATCH] RoleAccess.can_unattach ensures you have read access member

---
 awx/main/access.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/awx/main/access.py b/awx/main/access.py
index 4fac7b7228..afcb7672ac 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1598,6 +1598,10 @@ class RoleAccess(BaseAccess):
 
     @check_superuser
     def can_unattach(self, obj, sub_obj, relationship):
+        if relationship == 'members':
+            if not check_user_access(self.user, sub_obj.__class__, 'read', sub_obj):
+                return False
+
         if obj.object_id and \
            isinstance(obj.content_object, ResourceMixin) and \
            self.user in obj.content_object.admin_role: