properly check read permissions in GET /api/v2/wfjt/N/copy/

see: https://github.com/ansible/tower/issues/2323
2026-01-19 05:31:22 -03:30 · 2018-07-03 15:15:00 -04:00 · 2018-07-03 15:15:00 -04:00 · d1f5485b96
commit d1f5485b96
parent 220831a3d0
1 changed files with 4 additions and 0 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -3720,7 +3720,11 @@ class WorkflowJobTemplateCopy(WorkflowsEnforcementMixin, CopyAPIView):
    copy_return_serializer_class = WorkflowJobTemplateSerializer

    def get(self, request, *args, **kwargs):
+        if get_request_version(request) < 2:
+            return self.v1_not_allowed()
        obj = self.get_object()
+        if not request.user.can_access(obj.__class__, 'read', obj):
+            raise PermissionDenied()
        can_copy, messages = request.user.can_access_with_errors(self.model, 'copy', obj)
        data = OrderedDict([
            ('can_copy', can_copy), ('can_copy_without_user_input', can_copy),