From 410a9dd45f47639bc7f30ff7b7871a466eb38066 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Tue, 3 May 2016 13:42:14 -0400
Subject: [PATCH] Special case handlign for team access list to prevent "read"
 role showing up as a direct team role

 Fixes #1713
---
 awx/api/serializers.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index a889896c39..bfaf2650b6 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -1545,6 +1545,15 @@ class ResourceAccessListElementSerializer(UserSerializer):
                                     .filter(content_type=team_content_type,
                                             members=user,
                                             children__in=direct_permissive_role_ids)
+        if content_type == team_content_type:
+            # When looking at the access list for a team, exclude the entries
+            # for that team. This exists primarily so we don't list the read role
+            # as a direct role when a user is a member or admin of a team
+            direct_team_roles = direct_team_roles.exclude(
+                children__content_type=team_content_type,
+                children__object_id=obj.id
+            )
+
 
         indirect_team_roles   = Role.objects \
                                     .filter(content_type=team_content_type,