From f11a220e6466ec1d48cd3fe709add268f616879c Mon Sep 17 00:00:00 2001
From: Aaron Tan <jangsutsr@gmail.com>
Date: Fri, 24 Feb 2017 17:06:57 -0500
Subject: [PATCH] Add missing permission check.

---
 awx/api/views.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/awx/api/views.py b/awx/api/views.py
index bd0cef2696..1d4056587c 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -1873,6 +1873,8 @@ class GroupChildrenList(EnforceParentRelationshipMixin, SubListCreateAttachDetac
         if sub_id is not None:
             return super(GroupChildrenList, self).unattach(request, *args, **kwargs)
         parent = self.get_parent_object()
+        if not request.user.can_access(self.model, 'delete', parent):
+            raise PermissionDenied()
         parent.delete()
         return Response(status=status.HTTP_204_NO_CONTENT)