From 1abb0b2c357a9d0d127651ee76f2dafbdb55633f Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Tue, 9 Apr 2019 10:07:38 -0400
Subject: [PATCH] restrict metrics to superuser and system auditor

---
 awx/api/views/metrics.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/awx/api/views/metrics.py b/awx/api/views/metrics.py
index abc66d8e44..d9a7795d45 100644
--- a/awx/api/views/metrics.py
+++ b/awx/api/views/metrics.py
@@ -10,6 +10,8 @@ from django.utils.translation import ugettext_lazy as _
 # Django REST Framework
 from rest_framework.response import Response
 from rest_framework.renderers import JSONRenderer
+from rest_framework.exceptions import PermissionDenied
+
 
 # AWX
 # from awx.main.analytics import collectors
@@ -35,4 +37,6 @@ class MetricsView(APIView):
 
     def get(self, request, format='txt'):
         ''' Show Metrics Details '''
-        return Response(metrics().decode('UTF-8'))
+        if (request.user.is_superuser or request.user.is_system_auditor):
+            return Response(metrics().decode('UTF-8'))
+        raise PermissionDenied()