From 9a44dc4ba0427b6ed5ec030945a9d12950623663 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Thu, 13 Oct 2016 15:18:29 -0400
Subject: [PATCH] add can_read method to JobAccess

---
 awx/main/access.py | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index c70e6331c9..e11ed4a13a 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1168,6 +1168,22 @@ class JobAccess(BaseAccess):
             Q(inventory__organization__in=org_access_qs) |
             Q(project__organization__in=org_access_qs)).distinct()
 
+    def org_access(self, obj):
+        """
+        Via the organization of a related resource, user has a claim to org_admin access of this job
+        """
+        if obj.inventory and obj.inventory.organization and self.user in obj.inventory.organization.admin_role:
+            return True
+        elif obj.project and obj.project.organization and self.user in obj.project.organization.admin_role:
+            return True
+        return False
+
+    @check_superuser
+    def can_read(self, obj):
+        if obj.job_template and self.user in obj.job_template.read_role:
+            return True
+        return self.org_access(obj)
+
     def can_add(self, data):
         if not data:  # So the browseable API will work
             return True
@@ -1196,12 +1212,7 @@ class JobAccess(BaseAccess):
 
     @check_superuser
     def can_delete(self, obj):
-        if obj.inventory is not None and self.user in obj.inventory.organization.admin_role:
-            return True
-        if (obj.project is not None and obj.project.organization is not None and
-                self.user in obj.project.organization.admin_role):
-            return True
-        return False
+        return self.org_access(obj)
 
     def can_start(self, obj, validate_license=True):
         if validate_license: