From a4adda1ae719149e21bcd9e7690a88646509561d Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Fri, 23 Sep 2016 10:10:39 -0400
Subject: [PATCH] only allow superusers to start a job from a SystemJobTemplate

---
 awx/main/access.py                 |  4 +++-
 awx/main/tests/unit/test_access.py | 19 ++++++++++++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 734dce5ecc..72636e1776 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1122,8 +1122,10 @@ class SystemJobTemplateAccess(BaseAccess):
 
     model = SystemJobTemplate
 
+    @check_superuser
     def can_start(self, obj):
-        return self.can_read(obj)
+        '''Only a superuser can start a job from a SystemJobTemplate'''
+        return False
 
 class SystemJobAccess(BaseAccess):
     '''
diff --git a/awx/main/tests/unit/test_access.py b/awx/main/tests/unit/test_access.py
index 000d91268c..0c2e6bb5be 100644
--- a/awx/main/tests/unit/test_access.py
+++ b/awx/main/tests/unit/test_access.py
@@ -8,8 +8,16 @@ from awx.main.access import (
     BaseAccess,
     check_superuser,
     JobTemplateAccess,
+    SystemJobTemplateAccess,
+)
+
+from awx.main.models import (
+    Credential,
+    Inventory,
+    Project,
+    Role,
+    Organization,
 )
-from awx.main.models import Credential, Inventory, Project, Role, Organization
 
 
 @pytest.fixture
@@ -110,3 +118,12 @@ def test_jt_can_add_bad_data(user_unit):
     access = JobTemplateAccess(user_unit)
     assert not access.can_add({'asdf': 'asdf'})
 
+def test_system_job_template_can_start(mocker):
+    user = mocker.MagicMock(spec=User, id=1, is_system_auditor=True, is_superuser=False)
+    assert user.is_system_auditor
+    access = SystemJobTemplateAccess(user)
+    assert not access.can_start(None)
+
+    user.is_superuser = True
+    access = SystemJobTemplateAccess(user)
+    assert access.can_start(None)