added tests to assert team roles attach/unattach permissions, removed previous flawed fix

awx/api/views.py

@@ -836,10 +836,6 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
 
     def post(self, request, *args, **kwargs):
         # Forbid implicit role creation here
-        team = get_object_or_404(Team, pk=self.kwargs['pk'])
-        if not self.request.user.can_access(Team, 'change', team):
-            raise PermissionDenied()
-
         sub_id = request.data.get('id', None)
         if not sub_id:
             data = dict(msg='Role "id" field is missing')

awx/main/tests/functional/test_rbac_team.py

@@ -3,6 +3,25 @@ import pytest
 from awx.main.access import TeamAccess
 from awx.main.models import Project
 
+
+@pytest.mark.django_db
+def test_team_attach_unattach(team, user):
+    u = user('member', False)
+    access = TeamAccess(u)
+
+    team.member_role.members.add(u)
+    assert not access.can_attach(team, u.admin_role, 'member_role.children', None)
+    assert not access.can_unattach(team, u.admin_role, 'member_role.children')
+
+    team.admin_role.members.add(u)
+    assert access.can_attach(team, u.admin_role, 'member_role.children', None)
+    assert access.can_unattach(team, u.admin_role, 'member_role.children')
+
+    u2 = user('non-member', False)
+    access = TeamAccess(u2)
+    assert not access.can_attach(team, u2.admin_role, 'member_role.children', None)
+    assert not access.can_unattach(team, u2.admin_role, 'member_role.chidlren')
+
 @pytest.mark.django_db
 def test_team_access_superuser(team, user):
     team.member_role.members.add(user('member', False))