From bb485c99fef020e38619ffa26bc249a8b5e7b7ad Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Wed, 6 Aug 2014 11:47:03 -0400
Subject: [PATCH] Make sure job starts follow rbac

---
 awx/api/views.py   | 2 ++
 awx/main/access.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index 23edd70c3e..891c360721 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1529,6 +1529,8 @@ class JobStart(GenericAPIView):
 
     def post(self, request, *args, **kwargs):
         obj = self.get_object()
+        if not request.user.can_access(self.model, 'start', obj):
+            raise PermissionDenied()
         if obj.can_start:
             result = obj.signal_start(**request.DATA)
             if not result:
diff --git a/awx/main/access.py b/awx/main/access.py
index 3946d0a08f..a6bc7299a6 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1008,7 +1008,7 @@ class JobAccess(BaseAccess):
 
         dep_access = self.user.can_access(Inventory, 'read', obj.inventory) and \
                      self.user.can_access(Project, 'read', obj.project)
-        return self.can_read(obj) and obj.can_start and dep_access
+        return self.can_read(obj) and dep_access
 
     def can_cancel(self, obj):
         return self.can_read(obj) and obj.can_cancel