diff --git a/awx/api/generics.py b/awx/api/generics.py
index 871f2a462d..f52ed95c46 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -327,6 +327,12 @@ class APIView(views.APIView):
                 kwargs.pop('version')
         return super(APIView, self).dispatch(request, *args, **kwargs)
 
+    def check_permissions(self, request):
+        if request.method not in ('GET', 'OPTIONS', 'HEAD'):
+            if 'write' not in getattr(request.user, 'oauth_scopes', ['write']):
+                raise PermissionDenied()
+        return super(APIView, self).check_permissions(request)
+
 
 class GenericAPIView(generics.GenericAPIView, APIView):
     # Base class for all model-based views.
diff --git a/awx/main/access.py b/awx/main/access.py
index 8842395ebe..c053058f04 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -98,8 +98,6 @@ def check_user_access(user, model_class, action, *args, **kwargs):
     Return True if user can perform action against model_class with the
     provided parameters.
     '''
-    if 'write' not in getattr(user, 'oauth_scopes', ['write']) and action != 'read':
-        return False
     access_class = access_registry[model_class]
     access_instance = access_class(user)
     access_method = getattr(access_instance, 'can_%s' % action)