From 802a112106b930d137e2612887c95ab8bf4930c5 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Tue, 17 May 2016 09:01:17 -0400
Subject: [PATCH] Fixed project update permissions

Now folks in the update role can update a project as intended, yay!

 #1929
---
 awx/api/permissions.py | 17 ++++++++++++++++-
 awx/api/views.py       |  1 +
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/awx/api/permissions.py b/awx/api/permissions.py
index bc1447ba03..975d8bd90c 100644
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -19,7 +19,7 @@ from awx.main.utils import get_object_or_400
 logger = logging.getLogger('awx.api.permissions')
 
 __all__ = ['ModelAccessPermission', 'JobTemplateCallbackPermission',
-           'TaskPermission']
+           'TaskPermission', 'ProjectUpdatePermission']
 
 class ModelAccessPermission(permissions.BasePermission):
     '''
@@ -190,3 +190,18 @@ class TaskPermission(ModelAccessPermission):
             return bool(not obj or obj.pk == unified_job.pk)
         else:
             return False
+
+class ProjectUpdatePermission(ModelAccessPermission):
+    '''
+    Permission check used by ProjectUpdateView to determine who can update projects
+    '''
+
+    def has_permission(self, request, view, obj=None):
+        if request.user.is_superuser:
+            return True
+
+        project = get_object_or_400(view.model, pk=view.kwargs['pk'])
+        if project and request.user in project.update_role:
+            return True
+
+        return False
diff --git a/awx/api/views.py b/awx/api/views.py
index 9a6ad68715..f2b87e774a 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1027,6 +1027,7 @@ class ProjectUpdateView(RetrieveAPIView):
 
     model = Project
     serializer_class = ProjectUpdateViewSerializer
+    permission_classes = (ProjectUpdatePermission,)
     new_in_13 = True
 
     def post(self, request, *args, **kwargs):