From d0e9044dad5140c82c5c69c9c19eee3542e65b77 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 25 Apr 2016 14:12:07 -0400
Subject: [PATCH] Enforce team access permissions on team/:n/roles

---
 awx/api/views.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/awx/api/views.py b/awx/api/views.py
index 3b0942dc65..be4cf4fd8b 100644
--- a/awx/api/views.py
+++ b/awx/api/views.py
@@ -815,8 +815,9 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):
     relationship='member_role.children'
 
     def get_queryset(self):
-        team = Team.objects.get(pk=self.kwargs['pk'])
-        #return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user))
+        team = get_object_or_404(Team, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(Team, 'read', team):
+            raise PermissionDenied()
         return Role.filter_visible_roles(self.request.user, team.member_role.children.all())
 
     # XXX: Need to enforce permissions