Merge pull request #1783 from anoek/1713

Special case handling for team access list to prevent "read" role shwing up as a direct team role
2026-01-16 04:10:44 -03:30 · 2016-05-03 14:40:25 -04:00 · 2016-05-03 14:40:25 -04:00 · 7e445124a4
commit 7e445124a4
parent eb714ce67f 410a9dd45f
1 changed files with 9 additions and 0 deletions
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@ -1546,6 +1546,15 @@ class ResourceAccessListElementSerializer(UserSerializer):
                                    .filter(content_type=team_content_type,
                                            members=user,
                                            children__in=direct_permissive_role_ids)
+        if content_type == team_content_type:
+            # When looking at the access list for a team, exclude the entries
+            # for that team. This exists primarily so we don't list the read role
+            # as a direct role when a user is a member or admin of a team
+            direct_team_roles = direct_team_roles.exclude(
+                children__content_type=team_content_type,
+                children__object_id=obj.id
+            )
+

        indirect_team_roles   = Role.objects \
                                    .filter(content_type=team_content_type,