From d3476ed52a8760173bd2a35ebee59edfed906419 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 27 Jun 2016 11:02:02 -0400
Subject: [PATCH] Filter out roles users shouldn't be able to see from
 parents/children lists

---
 awx/api/views.py | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index 60357cf347..e3c359cb7b 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3742,10 +3742,9 @@ class RoleParentsList(SubListAPIView):
     new_in_300 = True
 
     def get_queryset(self):
-        # XXX: This should be the intersection between the roles of the user
-        # and the roles that the requesting user has access to see
         role = Role.objects.get(pk=self.kwargs['pk'])
-        return role.parents.all()
+        return Role.filter_visible_roles(self.request.user, role.parents.all())
+
 
 class RoleChildrenList(SubListAPIView):
 
@@ -3757,10 +3756,8 @@ class RoleChildrenList(SubListAPIView):
     new_in_300 = True
 
     def get_queryset(self):
-        # XXX: This should be the intersection between the roles of the user
-        # and the roles that the requesting user has access to see
         role = Role.objects.get(pk=self.kwargs['pk'])
-        return role.children.all()
+        return Role.filter_visible_roles(self.request.user, role.children.all())