Merge pull request #2721 from anoek/2710

Fix inventory update permission so update_role is enough to update

awx/main/access.py

@@ -524,7 +524,12 @@ class InventorySourceAccess(BaseAccess):
             return False
 
     def can_start(self, obj):
-        return self.can_change(obj, {}) and obj.can_update
+        if obj and obj.group:
+            return obj.can_update and self.user in obj.group.inventory.update_role
+        elif obj and obj.inventory:
+            return obj.can_update and self.user in obj.inventory.update_role
+        return False
+
 
 class InventoryUpdateAccess(BaseAccess):
     '''

awx/main/tests/functional/api/test_inventory.py

@@ -148,3 +148,16 @@ def test_delete_inventory_host(delete, host, alice, role_field, expected_status_
     if role_field:
         getattr(host.inventory, role_field).members.add(alice)
     delete(reverse('api:host_detail', args=(host.id,)), alice, expect=expected_status_code)
+
+@pytest.mark.parametrize("role_field,expected_status_code", [
+    (None, 403),
+    ('admin_role', 202),
+    ('update_role', 202),
+    ('adhoc_role', 403),
+    ('use_role', 403)
+])
+@pytest.mark.django_db
+def test_inventory_source_update(post, inventory_source, alice, role_field, expected_status_code):
+    if role_field:
+        getattr(inventory_source.group.inventory, role_field).members.add(alice)
+    post(reverse('api:inventory_source_update_view', args=(inventory_source.id,)), {}, alice, expect=expected_status_code)