[RBAC] Fix bug where team could not be given read_role to other team (#15067)

* Fix bug where team could not be given read_role to other team * Avoid unwanted triggers of parentage granting * Restructure signal structure * Fix another bug unmasked by team member permission fix * Changes to live with test writing * Use equality as opposed to string "in" from Seth in review comment Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com> --------- Co-authored-by: Seth Foster <fosterseth@users.noreply.github.com>
2026-03-05 18:51:06 -03:30 · 2024-04-05 13:59:18 -04:00
parent a138a92e67
commit c98727d83e
4 changed files with 37 additions and 13 deletions
--- a/awx/api/views/init.py
+++ b/awx/api/views/init.py
@@ -797,7 +797,7 @@ class TeamProjectsList(SubListAPIView):
        role = ObjectRole.objects.filter(object_id=team.id, content_type=parent_ct, role_definition=rd).first()
        if role is None:
            # Team has no permissions, therefore team has no projects
-            return self.model.none()
+            return self.model.objects.none()
        else:
            project_qs = self.model.accessible_objects(self.request.user, 'read_role')
            return project_qs.filter(id__in=RoleEvaluation.objects.filter(content_type_id=model_ct.id, role=role).values_list('object_id'))