From 733478ee19107a61b5c2330e9dc231cc7de47b84 Mon Sep 17 00:00:00 2001
From: Alan Rominger <arominge@redhat.com>
Date: Fri, 15 Mar 2024 12:54:03 -0400
Subject: [PATCH] [RBAC] Fix server error from delete capability of approvals
 (#15002)

Fix server error from delete capability of approvals
---
 awx/main/access.py                              |  3 +++
 .../dab_rbac/test_translation_layer.py          | 17 ++++++++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 505c1de918..dec9386d5d 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -2940,6 +2940,9 @@ class WorkflowApprovalAccess(BaseAccess):
         if (obj.workflow_job_template and self.user in obj.workflow_job_template.approval_role) or self.user.is_superuser:
             return True
 
+    def can_delete(self, obj):
+        return self.user.is_superuser  # Not really supposed to be done
+
 
 class WorkflowApprovalTemplateAccess(BaseAccess):
     """
diff --git a/awx/main/tests/functional/dab_rbac/test_translation_layer.py b/awx/main/tests/functional/dab_rbac/test_translation_layer.py
index e17788b98b..8d55c6e3ce 100644
--- a/awx/main/tests/functional/dab_rbac/test_translation_layer.py
+++ b/awx/main/tests/functional/dab_rbac/test_translation_layer.py
@@ -1,7 +1,8 @@
 import pytest
 
 from awx.main.models.rbac import get_role_from_object_role
-from awx.main.models import User, Organization
+from awx.main.models import User, Organization, WorkflowJobTemplate, WorkflowJobTemplateNode
+from awx.api.versioning import reverse
 
 from ansible_base.rbac.models import RoleUserAssignment
 
@@ -59,3 +60,17 @@ def test_organization_execute_role(organization, rando):
     organization.execute_role.members.add(rando)
     assert rando in organization.execute_role
     assert set(Organization.accessible_objects(rando, 'execute_role')) == set([organization])
+
+
+@pytest.mark.django_db
+def test_workflow_approval_list(get, post, admin_user):
+    workflow_job_template = WorkflowJobTemplate.objects.create()
+    approval_node = WorkflowJobTemplateNode.objects.create(workflow_job_template=workflow_job_template)
+    url = reverse('api:workflow_job_template_node_create_approval', kwargs={'pk': approval_node.pk, 'version': 'v2'})
+    post(url, {'name': 'URL Test', 'description': 'An approval', 'timeout': 0}, user=admin_user)
+    approval_node.refresh_from_db()
+    approval_jt = approval_node.unified_job_template
+    approval_jt.create_unified_job()
+
+    r = get(url=reverse('api:workflow_approval_list'), user=admin_user, expect=200)
+    assert r.data['count'] >= 1