From 4c2af3a8797ef458641d142ab2266f1ee9c489bd Mon Sep 17 00:00:00 2001
From: Chris Church <chris@ninemoreminutes.com>
Date: Sun, 28 Jul 2013 13:50:25 -0400
Subject: [PATCH] Fix AC-293. Explicitly check for start/cancel permissions on
 job for access to job start/cancel views.

---
 awx/main/permissions.py | 13 +++++++++++--
 awx/main/views.py       |  2 ++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/awx/main/permissions.py b/awx/main/permissions.py
index a4c1071c3b..68b760b986 100644
--- a/awx/main/permissions.py
+++ b/awx/main/permissions.py
@@ -14,6 +14,7 @@ from rest_framework import permissions
 # AWX
 from awx.main.access import *
 from awx.main.models import *
+from awx.main.utils import get_object_or_400
 
 logger = logging.getLogger('awx.main.permissions')
 
@@ -34,7 +35,7 @@ class ModelAccessPermission(permissions.BasePermission):
 
     def check_get_permissions(self, request, view, obj=None):
         if hasattr(view, 'parent_model'):
-            parent_obj = view.parent_model.objects.get(pk=view.kwargs['pk'])
+            parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
             if not check_user_access(request.user, view.parent_model, 'read',
                                      parent_obj):
                 return False
@@ -44,8 +45,16 @@ class ModelAccessPermission(permissions.BasePermission):
 
     def check_post_permissions(self, request, view, obj=None):
         if hasattr(view, 'parent_model'):
-            parent_obj = view.parent_model.objects.get(pk=view.kwargs['pk'])
+            parent_obj = get_object_or_400(view.parent_model, pk=view.kwargs['pk'])
             return True
+        elif getattr(view, 'is_job_start', False):
+            if not obj:
+                return True
+            return check_user_access(request.user, view.model, 'start', obj)
+        elif getattr(view, 'is_job_cancel', False):
+            if not obj:
+                return True
+            return check_user_access(request.user, view.model, 'cancel', obj)
         else:
             if obj:
                 return True
diff --git a/awx/main/views.py b/awx/main/views.py
index 1191acd1e3..415c23e3be 100644
--- a/awx/main/views.py
+++ b/awx/main/views.py
@@ -782,6 +782,7 @@ class JobDetail(RetrieveUpdateDestroyAPIView):
 class JobStart(generics.GenericAPIView):
 
     model = Job
+    is_job_start = True
 
     def get(self, request, *args, **kwargs):
         obj = self.get_object()
@@ -807,6 +808,7 @@ class JobStart(generics.GenericAPIView):
 class JobCancel(generics.GenericAPIView):
 
     model = Job
+    is_job_cancel = True
 
     def get(self, request, *args, **kwargs):
         obj = self.get_object()