Update RBAC for adding approval nodes

awx/api/serializers.py

@@ -3659,6 +3659,12 @@ class WorkflowJobNodeSerializer(LaunchConfigurationBaseSerializer):
             res['workflow_job'] = self.reverse('api:workflow_job_detail', kwargs={'pk': obj.workflow_job.pk})
         return res
 
+    def get_summary_fields(self, obj):
+        summary_fields = super(WorkflowJobNodeSerializer, self).get_summary_fields(obj)
+        if isinstance(obj.job, WorkflowApproval):
+            summary_fields['job']['timed_out'] = obj.job.timed_out
+        return summary_fields
+
 
 class WorkflowJobNodeListSerializer(WorkflowJobNodeSerializer):
     pass

awx/api/views/__init__.py

@@ -3026,11 +3026,12 @@ class WorkflowJobTemplateNodeCreateApproval(RetrieveAPIView):
         return Response(data={'id':approval_template.pk}, status=status.HTTP_200_OK)
 
     def check_permissions(self, request):
+        obj = self.get_object().workflow_job_template
         if request.method == 'POST':
-            if request.user not in self.get_object().workflow_job_template.admin_role:
+            if not request.user.can_access(models.WorkflowJobTemplate, 'change', obj, request.data):
                 self.permission_denied(request)
         else:
-            if request.user not in self.get_object().workflow_job_template.read_role:
+            if not request.user.can_access(models.WorkflowJobTemplate, 'read', obj):
                 self.permission_denied(request)
 
 
@@ -4487,6 +4488,7 @@ class WorkflowApprovalDeny(RetrieveAPIView):
         obj.deny(request)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+
 # Placeholder code for approval notification support
 class WorkflowApprovalNotificationsList(SubListAPIView):
 

awx/main/access.py

@@ -2790,9 +2790,6 @@ class WorkflowApprovalAccess(BaseAccess):
     model = WorkflowApproval
     prefetch_related = ('created_by', 'modified_by',)
 
-    def can_read(self, obj):
-        return True
-
     def can_use(self, obj):
         return True