From 1d951a7effe6dad89a332303c83f86be481e70b1 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Wed, 27 Jul 2016 12:13:38 -0400
Subject: [PATCH] use same model method to determine read permission as we do
 in the views

---
 awx/api/views.py   |  1 -
 awx/main/access.py | 10 ++--------
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index f71d799ab4..e57d5d2481 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3625,7 +3625,6 @@ class RoleDetail(RetrieveAPIView):
 
     model = Role
     serializer_class = RoleSerializer
-    permission_classes = (IsAuthenticated,)
     new_in_300 = True
 
 
diff --git a/awx/main/access.py b/awx/main/access.py
index 6bd920c7fe..52129022f7 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1661,14 +1661,8 @@ class RoleAccess(BaseAccess):
         if self.user.is_superuser or self.user.is_system_auditor:
             return True
 
-        if obj.object_id:
-            sister_roles = Role.objects.filter(
-                content_type = obj.content_type,
-                object_id = obj.object_id
-            )
-        else:
-            sister_roles = obj
-        return self.user.roles.filter(descendents__in=sister_roles).exists()
+        return Role.filter_visible_roles(
+            self.user, Role.objects.filter(pk=obj.id)).exists()
 
     def can_add(self, obj, data):
         # Unsupported for now