From b6bbd4fa7711a74ae9718d476fdc9c1cb875e4aa Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Thu, 28 Apr 2016 13:43:49 -0400
Subject: [PATCH] ensure change access for adding team roles

---
 awx/api/views.py                      | 5 ++++-
 awx/main/tests/unit/api/test_views.py | 8 +++++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index 4ea256c246..0c7164a622 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -834,9 +834,12 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
             raise PermissionDenied()
         return Role.filter_visible_roles(self.request.user, team.member_role.children.all())
 
-    # XXX: Need to enforce permissions
     def post(self, request, *args, **kwargs):
         # Forbid implicit role creation here
+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(Team, 'change', team):
+            raise PermissionDenied()
+
         sub_id = request.data.get('id', None)
         if not sub_id:
             data = dict(msg='Role "id" field is missing')
diff --git a/awx/main/tests/unit/api/test_views.py b/awx/main/tests/unit/api/test_views.py
index a5d63906c5..6b886513bd 100644
--- a/awx/main/tests/unit/api/test_views.py
+++ b/awx/main/tests/unit/api/test_views.py
@@ -1,8 +1,9 @@
-# Python
 import pytest
 
-# AWX
-from awx.api.views import ApiV1RootView
+from awx.api.views import (
+    ApiV1RootView,
+)
+
 
 @pytest.fixture
 def mock_response_new(mocker):
@@ -10,6 +11,7 @@ def mock_response_new(mocker):
     m.return_value = m
     return m
 
+
 class TestApiV1RootView:
     def test_get_endpoints(self, mocker, mock_response_new):
         endpoints = [