Merge pull request #1734 from wwitzel3/team-roles-access

ensure change access for adding team roles

awx/api/views.py

@@ -834,7 +834,6 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
             raise PermissionDenied()
         return Role.filter_visible_roles(self.request.user, team.member_role.children.all())
 
-    # XXX: Need to enforce permissions
     def post(self, request, *args, **kwargs):
         # Forbid implicit role creation here
         sub_id = request.data.get('id', None)

awx/main/tests/functional/test_rbac_team.py

@@ -3,6 +3,25 @@ import pytest
 from awx.main.access import TeamAccess
 from awx.main.models import Project
 
+
+@pytest.mark.django_db
+def test_team_attach_unattach(team, user):
+    u = user('member', False)
+    access = TeamAccess(u)
+
+    team.member_role.members.add(u)
+    assert not access.can_attach(team, u.admin_role, 'member_role.children', None)
+    assert not access.can_unattach(team, u.admin_role, 'member_role.children')
+
+    team.admin_role.members.add(u)
+    assert access.can_attach(team, u.admin_role, 'member_role.children', None)
+    assert access.can_unattach(team, u.admin_role, 'member_role.children')
+
+    u2 = user('non-member', False)
+    access = TeamAccess(u2)
+    assert not access.can_attach(team, u2.admin_role, 'member_role.children', None)
+    assert not access.can_unattach(team, u2.admin_role, 'member_role.chidlren')
+
 @pytest.mark.django_db
 def test_team_access_superuser(team, user):
     team.member_role.members.add(user('member', False))

awx/main/tests/unit/api/test_views.py

@@ -1,8 +1,9 @@
-# Python
 import pytest
 
-# AWX
+from awx.api.views import (
-from awx.api.views import ApiV1RootView
+    ApiV1RootView,
+)
+
 
 @pytest.fixture
 def mock_response_new(mocker):
@@ -10,6 +11,7 @@ def mock_response_new(mocker):
     m.return_value = m
     return m
 
+
 class TestApiV1RootView:
     def test_get_endpoints(self, mocker, mock_response_new):
         endpoints = [