Protect team assignment for the roles access point

2024-11-02 01:21:21 +03:00 · 2018-03-19 12:10:13 -04:00 · 2018-03-19 12:10:13 -04:00 · 771108e298
commit 771108e298
parent eb3b518507
1 changed files with 4 additions and 0 deletions
--- a/awx/main/access.py
+++ b/awx/main/access.py
@ -2483,6 +2483,10 @@ class RoleAccess(BaseAccess):

    @check_superuser
    def can_unattach(self, obj, sub_obj, relationship, data=None, skip_sub_obj_read_check=False):
+        if isinstance(obj.content_object, Team):
+            if not settings.ORGS_CAN_ASSIGN_USERS_TEAM:
+                return False
+
        if not skip_sub_obj_read_check and relationship in ['members', 'member_role.parents', 'parents']:
            # If we are unattaching a team Role, check the Team read access
            if relationship == 'parents':