From 57030390c02563d15975164b0a7020753a099474 Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Thu, 6 Feb 2014 08:46:54 -0500
Subject: [PATCH] Fix AC-975... filter inactive permissions in some of the
 access code.

---
 awx/main/access.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 3a4dd56082..8d8f3f5726 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -262,10 +262,12 @@ class InventoryAccess(BaseAccess):
         has_user_perms = qs.filter(
             permissions__user__in=[self.user],
             permissions__permission_type__in=allowed,
+            permissions__active=True,
         ).distinct()
         has_team_perms = qs.filter(
             permissions__team__users__in=[self.user],
             permissions__permission_type__in=allowed,
+            permissions__active=True,
         ).distinct()
         return admin_of | has_user_perms | has_team_perms
 
@@ -640,8 +642,8 @@ class ProjectAccess(BaseAccess):
             Q(organizations__admins__in=[self.user]) |
             Q(organizations__users__in=[self.user]) |
             Q(teams__users__in=[self.user]) |
-            Q(permissions__user=self.user, permissions__permission_type__in=allowed) |
-            Q(permissions__team__users__in=[self.user], permissions__permission_type__in=allowed)
+            Q(permissions__user=self.user, permissions__permission_type__in=allowed, permissions__active=True) |
+            Q(permissions__team__users__in=[self.user], permissions__permission_type__in=allowed, permissions__active=True)
         )
 
     def can_add(self, data):
@@ -810,6 +812,8 @@ class JobTemplateAccess(BaseAccess):
             Q(project__permissions__user=self.user) | Q(project__permissions__team__users__in=[self.user]),
             inventory__permissions__permission_type__in=allowed,
             project__permissions__permission_type__in=allowed,
+            inventory__permissions__active=True,
+            project__permissions__active=True,
             inventory__permissions__pk=F('project__permissions__pk'),
         )
         # FIXME: I *think* this should work... needs more testing.
@@ -914,6 +918,8 @@ class JobAccess(BaseAccess):
             Q(project__permissions__user=self.user) | Q(project__permissions__team__users__in=[self.user]),
             inventory__permissions__permission_type__in=allowed,
             project__permissions__permission_type__in=allowed,
+            inventory__permissions__active=True,
+            project__permissions__active=True,
             inventory__permissions__pk=F('project__permissions__pk'),
         )
         # FIXME: I *think* this should work... needs more testing.