Enforce team access permissions on team/:n/roles

2024-11-02 18:21:12 +03:00 · 2016-04-25 14:12:07 -04:00 · 2016-04-25 14:12:07 -04:00 · d0e9044dad
commit d0e9044dad
parent 4c15374b05
1 changed files with 3 additions and 2 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -815,8 +815,9 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
    relationship='member_role.children'

    def get_queryset(self):
-        team = Team.objects.get(pk=self.kwargs['pk'])
-        #return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user))
+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(Team, 'read', team):
+            raise PermissionDenied()
        return Role.filter_visible_roles(self.request.user, team.member_role.children.all())

    # XXX: Need to enforce permissions