From 771108e29802dbbd300904e29fbbb94175c67521 Mon Sep 17 00:00:00 2001
From: Wayne Witzel III <wayne@riotousliving.com>
Date: Mon, 19 Mar 2018 12:10:13 -0400
Subject: [PATCH] Protect team assignment for the roles access point

---
 awx/main/access.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/awx/main/access.py b/awx/main/access.py
index c32462c78d..58a0c42bae 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -2483,6 +2483,10 @@ class RoleAccess(BaseAccess):
 
     @check_superuser
     def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
+        if isinstance(obj.content_object, Team):
+            if not settings.ORGS_CAN_ASSIGN_USERS_TEAM:
+                return False
+
         if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents', 'parents']:
             # If we are unattaching a team Role, check the Team read access
             if relationship == 'parents':