prohibit users without read_role from viewing copy endpoint

2026-02-21 05:00:07 -03:30 · 2018-06-07 14:17:06 -04:00
parent b1f36572c6
commit ed762fd4b6
2 changed files with 4 additions and 1 deletions
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -929,6 +929,8 @@ class CopyAPIView(GenericAPIView):
        if get_request_version(request) < 2:
            return self.v1_not_allowed()
        obj = self.get_object()
+        if not request.user.can_access(obj.__class__, 'read', obj):
+            raise PermissionDenied()
        create_kwargs = self._build_create_dict(obj)
        for key in create_kwargs:
            create_kwargs[key] = getattr(create_kwargs[key], 'pk', None) or create_kwargs[key]