From 18796ec3ffbe1d64e90413c7ce8884db7e5b4da1 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 2 May 2016 16:38:57 -0400
Subject: [PATCH] Inventory/Group/Host updating is allowed by those with
 update_role not just admin_role

---
 awx/main/access.py | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index ffd5da98c9..0315eee835 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -349,7 +349,7 @@ class InventoryAccess(BaseAccess):
             if self.user not in org.admin_role:
                 return False
         # Otherwise, just check for write permission.
-        return self.user in obj.admin_role
+        return self.user in obj.update_role
 
     @check_superuser
     def can_admin(self, obj, data):
@@ -401,7 +401,7 @@ class HostAccess(BaseAccess):
         # Checks for admin or change permission on inventory.
         inventory_pk = get_pk_from_dict(data, 'inventory')
         inventory = get_object_or_400(Inventory, pk=inventory_pk)
-        if self.user not in inventory.admin_role:
+        if self.user not in inventory.update_role:
             return False
 
         # Check to see if we have enough licenses
@@ -415,7 +415,7 @@ class HostAccess(BaseAccess):
             raise PermissionDenied('Unable to change inventory on a host')
         # Checks for admin or change permission on inventory, controls whether
         # the user can edit variable data.
-        return obj and self.user in obj.inventory.admin_role
+        return obj and self.user in obj.inventory.update_role
 
     def can_attach(self, obj, sub_obj, relationship, data,
                    skip_sub_obj_read_check=False):
@@ -452,7 +452,7 @@ class GroupAccess(BaseAccess):
         # Checks for admin or change permission on inventory.
         inventory_pk = get_pk_from_dict(data, 'inventory')
         inventory = get_object_or_400(Inventory, pk=inventory_pk)
-        return self.user in inventory.admin_role
+        return self.user in inventory.update_role
 
     def can_change(self, obj, data):
         # Prevent moving a group to a different inventory.
@@ -461,7 +461,7 @@ class GroupAccess(BaseAccess):
             raise PermissionDenied('Unable to change inventory on a group')
         # Checks for admin or change permission on inventory, controls whether
         # the user can attach subgroups or edit variable data.
-        return obj and self.user in obj.inventory.admin_role
+        return obj and self.user in obj.inventory.update_role
 
     def can_attach(self, obj, sub_obj, relationship, data,
                    skip_sub_obj_read_check=False):
@@ -514,7 +514,7 @@ class InventorySourceAccess(BaseAccess):
     def can_change(self, obj, data):
         # Checks for admin or change permission on group.
         if obj and obj.group:
-            return self.user in obj.group.admin_role
+            return self.user in obj.group.update_role
         # Can't change inventory sources attached to only the inventory, since
         # these are created automatically from the management command.
         else: