Prevent hosts from being added to their own children.

awx/main/base_views.py

@@ -118,6 +118,7 @@ class BaseSubList(BaseList):
                         # no attaching to yourself
                         raise PermissionDenied()
 
+
                     if self.__class__.parent_model != User:
 
                         # FIXME: refactor into smaller functions
@@ -207,6 +208,14 @@ class BaseSubList(BaseList):
             else:
                 # resource is just a ForeignKey, can't remove it from the set, just set it inactive
                 sub.mark_inactive()
+                    
+
+        # verify we didn't add anything to it's own children
+        if type(main) == Group:
+            all_children = main.get_all_children().all()
+            if main in all_children:
+                # no attaching to child objects (in the case of groups)
+                raise PermissionDenied()
 
         if created:
             return Response(status=status.HTTP_201_CREATED, data=ser.data)

awx/main/tests/inventory.py

@@ -451,6 +451,15 @@ class InventoryTest(BaseTest):
         kids = self.get(subgroups_url2, expect=200, auth=self.get_normal_credentials())
         self.assertEqual(kids['count'], 1)
         posted2 = self.post(subgroups_url2, data=new_data, expect=201, auth=self.get_normal_credentials()) 
+
+        # a group can't be it's own grandparent
+        subsub = posted2['related']['children']
+        # this is the grandparent
+        original_url = reverse('main:group_detail', args=(Group.objects.get(name='web6').pk,))
+        parent_data = self.get(original_url, expect=200, auth=self.get_super_credentials())
+        # now posting to kid's children collection...
+        self.post(subsub, data=parent_data, expect=403, auth=self.get_super_credentials())
+
         with_one_more_kid = self.get(subgroups_url2, expect=200, auth=self.get_normal_credentials())
         self.assertEqual(with_one_more_kid['count'], 2)