From d1f5485b9629a7b1618fc0684cbd8b8b753188af Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Tue, 3 Jul 2018 15:15:00 -0400
Subject: [PATCH] properly check read permissions in `GET /api/v2/wfjt/N/copy/`

see: https://github.com/ansible/tower/issues/2323
---
 awx/api/views.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/awx/api/views.py b/awx/api/views.py
index bbd6e82152..bc6a785002 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3720,7 +3720,11 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, CopyAPIView):
     copy_return_serializer_class = WorkflowJobTemplateSerializer
 
     def get(self, request, *args, **kwargs):
+        if get_request_version(request) < 2:
+            return self.v1_not_allowed()
         obj = self.get_object()
+        if not request.user.can_access(obj.__class__, 'read', obj):
+            raise PermissionDenied()
         can_copy, messages = request.user.can_access_with_errors(self.model, 'copy', obj)
         data = OrderedDict([
             ('can_copy', can_copy), ('can_copy_without_user_input', can_copy),