Merge pull request #1738 from wwitzel3/issue-1714

prevent a user from removing their own admin_role
2026-01-15 11:50:42 -03:30 · 2016-05-02 10:09:41 -04:00 · 2016-05-02 10:09:41 -04:00 · 573bc07c5d
commit 573bc07c5d
parent 18e42d442e 1e432126cd
1 changed files with 4 additions and 0 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -1108,6 +1108,10 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
        if not sub_id:
            data = dict(msg='Role "id" field is missing')
            return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
+        if sub_id == self.request.user.admin_role.pk:
+            raise PermissionDenied('You may not remove your own admin_role')
+
        return super(UserRolesList, self).post(request, *args, **kwargs)

    def check_parent_access(self, parent=None):