From cf436eea3758cf9f9ee3a09d413afc5429f9d17c Mon Sep 17 00:00:00 2001
From: beeankha <beeankha@gmail.com>
Date: Wed, 14 Aug 2019 15:10:35 -0400
Subject: [PATCH] Update RBAC for adding approval nodes

---
 awx/api/serializers.py    | 6 ++++++
 awx/api/views/__init__.py | 6 ++++--
 awx/main/access.py        | 3 ---
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index b8f64aec2b..082e12bd73 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -3659,6 +3659,12 @@ class WorkflowJobNodeSerializer(LaunchConfigurationBaseSerializer):
             res['workflow_job'] = self.reverse('api:workflow_job_detail', kwargs={'pk': obj.workflow_job.pk})
         return res
 
+    def get_summary_fields(self, obj):
+        summary_fields = super(WorkflowJobNodeSerializer, self).get_summary_fields(obj)
+        if isinstance(obj.job, WorkflowApproval):
+            summary_fields['job']['timed_out'] = obj.job.timed_out
+        return summary_fields
+
 
 class WorkflowJobNodeListSerializer(WorkflowJobNodeSerializer):
     pass
diff --git a/awx/api/views/__init__.py b/awx/api/views/__init__.py
index 726f14295b..fd1a36c0e4 100644
--- a/awx/api/views/__init__.py
+++ b/awx/api/views/__init__.py
@@ -3026,11 +3026,12 @@ class WorkflowJobTemplateNodeCreateApproval(RetrieveAPIView):
         return Response(data={'id':approval_template.pk}, status=status.HTTP_200_OK)
 
     def check_permissions(self, request):
+        obj = self.get_object().workflow_job_template
         if request.method == 'POST':
-            if request.user not in self.get_object().workflow_job_template.admin_role:
+            if not request.user.can_access(models.WorkflowJobTemplate, 'change', obj, request.data):
                 self.permission_denied(request)
         else:
-            if request.user not in self.get_object().workflow_job_template.read_role:
+            if not request.user.can_access(models.WorkflowJobTemplate, 'read', obj):
                 self.permission_denied(request)
 
 
@@ -4487,6 +4488,7 @@ class WorkflowApprovalDeny(RetrieveAPIView):
         obj.deny(request)
         return Response(status=status.HTTP_204_NO_CONTENT)
 
+
 # Placeholder code for approval notification support
 class WorkflowApprovalNotificationsList(SubListAPIView):
 
diff --git a/awx/main/access.py b/awx/main/access.py
index 32f96a2e35..d39ab65b49 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -2790,9 +2790,6 @@ class WorkflowApprovalAccess(BaseAccess):
     model = WorkflowApproval
     prefetch_related = ('created_by', 'modified_by',)
 
-    def can_read(self, obj):
-        return True
-
     def can_use(self, obj):
         return True