From f0740794c5ab33986768f666a91006bd31b90538 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Thu, 24 Mar 2016 13:30:47 -0400
Subject: [PATCH] Better implementation of RoleUsersList queryset

---
 awx/api/views.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index 474e9c6fe8..a3c2280c7d 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -3311,12 +3311,11 @@ class RoleUsersList(SubListCreateAttachDetachAPIView):
     serializer_class = UserSerializer
     parent_model = Role
     relationship = 'members'
-    permission_classes = (IsAuthenticated,)
     new_in_300 = True
 
     def get_queryset(self):
-        # XXX: Access control
-        role = Role.objects.get(pk=self.kwargs['pk'])
+        role = self.get_parent_object()
+        self.check_parent_access(role)
         return role.members
 
     def post(self, request, *args, **kwargs):