Merge pull request #2516 from AlanCoding/2489_proj_permission_cls

Fix ProjectUpdate permission bug, consolidate logic

awx/api/permissions.py

@@ -195,22 +195,10 @@ class ProjectUpdatePermission(ModelAccessPermission):
     '''
     Permission check used by ProjectUpdateView to determine who can update projects
     '''
-    def check_get_permission(self, request, view, obj=None):
+    def check_get_permissions(self, request, view, obj=None):
-        if request.user.is_superuser:
-            return True
-
         project = get_object_or_400(view.model, pk=view.kwargs['pk'])
-        if project and request.user in project.read_role:
+        return check_user_access(request.user, view.model, 'read', project)
-            return True
-
-        return False
-
-    def check_post_permission(self, request, view, obj=None):
-        if request.user.is_superuser:
-            return True
 
+    def check_post_permissions(self, request, view, obj=None):
         project = get_object_or_400(view.model, pk=view.kwargs['pk'])
-        if project and request.user in project.update_role:
+        return check_user_access(request.user, view.model, 'start', project)
-            return True
-
-        return False

awx/main/access.py

@@ -709,8 +709,9 @@ class ProjectAccess(BaseAccess):
     def can_delete(self, obj):
         return self.can_change(obj, None)
 
+    @check_superuser
     def can_start(self, obj):
-        return self.can_change(obj, {}) and obj.can_update
+        return obj and self.user in obj.update_role
 
 class ProjectUpdateAccess(BaseAccess):
     '''