ensure change access for adding team roles

2026-03-16 00:17:29 -02:30 · 2016-04-28 13:43:49 -04:00
parent 521e0645a2
commit b6bbd4fa77
2 changed files with 9 additions and 4 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -834,9 +834,12 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
            raise PermissionDenied()
        return Role.filter_visible_roles(self.request.user, team.member_role.children.all())

-    # XXX: Need to enforce permissions
    def post(self, request, *args, **kwargs):
        # Forbid implicit role creation here
+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(Team, 'change', team):
+            raise PermissionDenied()
+
        sub_id = request.data.get('id', None)
        if not sub_id:
            data = dict(msg='Role "id" field is missing')