Special case handlign for team access list to prevent "read" role showing up as a direct team role

Fixes #1713
2026-01-18 05:01:19 -03:30 · 2016-05-03 13:42:14 -04:00 · 2016-05-03 13:42:14 -04:00 · 410a9dd45f
commit 410a9dd45f
parent 6adcbbaec7
1 changed files with 9 additions and 0 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -1545,6 +1545,15 @@ class ResourceAccessListElementSerializer(UserSerializer):
                                    .filter(content_type=team_content_type,
                                            members=user,
                                            children__in=direct_permissive_role_ids)
+        if content_type == team_content_type:
+            # When looking at the access list for a team, exclude the entries
+            # for that team. This exists primarily so we don't list the read role
+            # as a direct role when a user is a member or admin of a team
+            direct_team_roles = direct_team_roles.exclude(
+                children__content_type=team_content_type,
+                children__object_id=obj.id
+            )
+

        indirect_team_roles   = Role.objects \
                                    .filter(content_type=team_content_type,