ensure change access for adding team roles

2026-01-17 20:51:21 -03:30 · 2016-04-28 13:43:49 -04:00 · 2016-04-28 13:43:49 -04:00 · b6bbd4fa77
commit b6bbd4fa77
parent 521e0645a2
2 changed files with 9 additions and 4 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -834,9 +834,12 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
            raise PermissionDenied()
        return Role.filter_visible_roles(self.request.user, team.member_role.children.all())

-    # XXX: Need to enforce permissions
    def post(self, request, *args, **kwargs):
        # Forbid implicit role creation here
+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(Team, 'change', team):
+            raise PermissionDenied()
+
        sub_id = request.data.get('id', None)
        if not sub_id:
            data = dict(msg='Role "id" field is missing')
--- a/awx/main/tests/unit/api/test_views.py
+++ b/awx/main/tests/unit/api/test_views.py
@ -1,8 +1,9 @@
-# Python
 import pytest

-# AWX
-from awx.api.views import ApiV1RootView
+from awx.api.views import (
+    ApiV1RootView,
+)
+

@pytest.fixture
 def mock_response_new(mocker):
@ -10,6 +11,7 @@ def mock_response_new(mocker):
    m.return_value = m
    return m

+
 class TestApiV1RootView:
    def test_get_endpoints(self, mocker, mock_response_new):
        endpoints = [