From 1e432126cd2838c045c7cb878808e1a3829f9a14 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Thu, 28 Apr 2016 15:39:56 -0400 Subject: [PATCH] prevent a user from removing their own admin_role --- awx/api/views.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/awx/api/views.py b/awx/api/views.py index 4ea256c246..109ea69540 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -1109,6 +1109,10 @@ class UserRolesList(SubListCreateAttachDetachAPIView): if not sub_id: data = dict(msg='Role "id" field is missing') return Response(data, status=status.HTTP_400_BAD_REQUEST) + + if sub_id == self.request.user.admin_role.pk: + raise PermissionDenied('You may not remove your own admin_role') + return super(UserRolesList, self).post(request, *args, **kwargs) def check_parent_access(self, parent=None):