Merge pull request #2098 from AlanCoding/u_no_copy

Prohibit users without read_role from viewing copy endpoint

awx/api/generics.py

@@ -931,6 +931,8 @@ class CopyAPIView(GenericAPIView):
         if get_request_version(request) < 2:
             return self.v1_not_allowed()
         obj = self.get_object()
+        if not request.user.can_access(obj.__class__, 'read', obj):
+            raise PermissionDenied()
         create_kwargs = self._build_create_dict(obj)
         for key in create_kwargs:
             create_kwargs[key] = getattr(create_kwargs[key], 'pk', None) or create_kwargs[key]

awx/main/tests/functional/test_copy.py

@@ -170,7 +170,7 @@ def test_credential_copy(post, get, machine_credential, credentialtype_ssh, admi
 @pytest.mark.django_db
 def test_notification_template_copy(post, get, notification_template_with_encrypt,
                                     organization, alice):
-    #notification_template_with_encrypt.admin_role.members.add(alice)
+    notification_template_with_encrypt.organization.auditor_role.members.add(alice)
     assert get(
         reverse(
             'api:notification_template_copy', kwargs={'pk': notification_template_with_encrypt.pk}
@@ -197,6 +197,7 @@ def test_notification_template_copy(post, get, notification_template_with_encryp
 
 @pytest.mark.django_db
 def test_inventory_script_copy(post, get, inventory_script, organization, alice):
+    inventory_script.organization.auditor_role.members.add(alice)
     assert get(
         reverse('api:inventory_script_copy', kwargs={'pk': inventory_script.pk}), alice, expect=200
     ).data['can_copy'] is False