From e07a06e990826942cb5960bff57d415fefa8fa79 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Wed, 22 Jun 2016 11:59:40 -0400
Subject: [PATCH] Teams cannot be parents of Organization roles

---
 awx/api/views.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/awx/api/views.py b/awx/api/views.py
index 9db03cfe55..b490d406f4 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -875,6 +875,13 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
         if not sub_id:
             data = dict(msg="Role 'id' field is missing.")
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
+        role = Role.objects.get(pk=sub_id)
+        content_type = ContentType.objects.get_for_model(Organization)
+        if role.content_type == content_type:
+            data = dict(msg="You cannot assign Organization roles and child roles for Teams.")
+            return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
         return super(TeamRolesList, self).post(request, *args, **kwargs)
 
 class TeamObjectRolesList(SubListAPIView):
@@ -3715,6 +3722,11 @@ class RoleTeamsList(ListAPIView):
             return Response(data, status=status.HTTP_400_BAD_REQUEST)
 
         role = Role.objects.get(pk=self.kwargs['pk'])
+        content_type = ContentType.objects.get_for_model(Organization)
+        if role.content_type == content_type:
+            data = dict(msg="You cannot assign Organization roles and child roles for Teams.")
+            return Response(data, status=status.HTTP_400_BAD_REQUEST)
+
         team = Team.objects.get(pk=sub_id)
         action = 'attach'
         if request.data.get('disassociate', None):