From 2b589228d323f7c8199cfdaf20c81475d64e4c50 Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Tue, 26 Apr 2016 14:36:22 -0400 Subject: [PATCH 1/2] Fixing CredentialList post access check --- awx/api/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/api/views.py b/awx/api/views.py index 81351a9066..a9cca93d1d 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -1225,7 +1225,7 @@ class CredentialList(ListCreateAPIView): organization = Organization.objects.get(pk=request.data['organization']) obj = organization - if self.request.user not in obj.admin_role: + if not self.request.user.can_access(type(obj), 'admin', obj, request.data): raise PermissionDenied() ret = super(CredentialList, self).post(request, *args, **kwargs) From e78eb591dbc3799112691c8c9f301f6c4469191a Mon Sep 17 00:00:00 2001 From: Wayne Witzel III Date: Tue, 26 Apr 2016 15:57:49 -0400 Subject: [PATCH 2/2] change permission, not admin permission --- awx/api/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/awx/api/views.py b/awx/api/views.py index a9cca93d1d..84e13a5fae 100644 --- a/awx/api/views.py +++ b/awx/api/views.py @@ -1225,7 +1225,7 @@ class CredentialList(ListCreateAPIView): organization = Organization.objects.get(pk=request.data['organization']) obj = organization - if not self.request.user.can_access(type(obj), 'admin', obj, request.data): + if not self.request.user.can_access(type(obj), 'change', obj, request.data): raise PermissionDenied() ret = super(CredentialList, self).post(request, *args, **kwargs)