diff --git a/awx/api/views.py b/awx/api/views.py
index 3b0942dc65..be4cf4fd8b 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -815,8 +815,9 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
     relationship='member_role.children'
 
     def get_queryset(self):
-        team = Team.objects.get(pk=self.kwargs['pk'])
-        #return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user))
+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(Team, 'read', team):
+            raise PermissionDenied()
         return Role.filter_visible_roles(self.request.user, team.member_role.children.all())
 
     # XXX: Need to enforce permissions