From 66d27c4f9655ce42a35f470c1c29e6166acd0da3 Mon Sep 17 00:00:00 2001
From: Michael DeHaan <michael@ansibleworks.com>
Date: Tue, 2 Jul 2013 16:31:10 -0400
Subject: [PATCH] Prevent hosts from being added to their own children.

---
 awx/main/base_views.py      | 9 +++++++++
 awx/main/tests/inventory.py | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/awx/main/base_views.py b/awx/main/base_views.py
index e0910a6da9..ad8f6dc27d 100644
--- a/awx/main/base_views.py
+++ b/awx/main/base_views.py
@@ -118,6 +118,7 @@ class BaseSubList(BaseList):
                         # no attaching to yourself
                         raise PermissionDenied()
 
+
                     if self.__class__.parent_model != User:
 
                         # FIXME: refactor into smaller functions
@@ -207,6 +208,14 @@ class BaseSubList(BaseList):
             else:
                 # resource is just a ForeignKey, can't remove it from the set, just set it inactive
                 sub.mark_inactive()
+                    
+
+        # verify we didn't add anything to it's own children
+        if type(main) == Group:
+            all_children = main.get_all_children().all()
+            if main in all_children:
+                # no attaching to child objects (in the case of groups)
+                raise PermissionDenied()
 
         if created:
             return Response(status=status.HTTP_201_CREATED, data=ser.data)
diff --git a/awx/main/tests/inventory.py b/awx/main/tests/inventory.py
index fee675a5a8..6623c0071c 100644
--- a/awx/main/tests/inventory.py
+++ b/awx/main/tests/inventory.py
@@ -451,6 +451,15 @@ class InventoryTest(BaseTest):
         kids = self.get(subgroups_url2, expect=200, auth=self.get_normal_credentials())
         self.assertEqual(kids['count'], 1)
         posted2 = self.post(subgroups_url2, data=new_data, expect=201, auth=self.get_normal_credentials()) 
+
+        # a group can't be it's own grandparent
+        subsub = posted2['related']['children']
+        # this is the grandparent
+        original_url = reverse('main:group_detail', args=(Group.objects.get(name='web6').pk,))
+        parent_data = self.get(original_url, expect=200, auth=self.get_super_credentials())
+        # now posting to kid's children collection...
+        self.post(subsub, data=parent_data, expect=403, auth=self.get_super_credentials())
+
         with_one_more_kid = self.get(subgroups_url2, expect=200, auth=self.get_normal_credentials())
         self.assertEqual(with_one_more_kid['count'], 2)