From df61fd6ab88dd66a0a4fa0453a1ec9aca6f86b34 Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Thu, 11 Jun 2015 16:24:54 -0400
Subject: [PATCH] Check inventory access for normal users when deciding what
 job templates show up in the job template queryset

---
 awx/main/access.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 48d0260f09..c6f281a75c 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -904,8 +904,21 @@ class JobTemplateAccess(BaseAccess):
             inventory__permissions__pk=F('project__permissions__pk'),
         )
 
+        perm_inventory_read_user_qs = qs.filter(
+            inventory__permissions__user__in=[self.user],
+            inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
+            inventory__permissions__active=True)
+
+        perm_inventory_read_team_qs = qs.filter(
+            inventory__permissions__team__users__in=[self.user],
+            inventory__permissions__team__active=True,
+            inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
+            inventory__permissions__active=True)
+
+        perm_inventory = perm_inventory_read_user_qs | perm_inventory_read_team_qs
+
         # FIXME: I *think* this should work... needs more testing.
-        return org_admin_qs | perm_deploy_qs | perm_check_qs
+        return org_admin_qs | (perm_deploy_qs & perm_inventory) | (perm_check_qs & perm_inventory)
 
     def can_read(self, obj):
         # you can only see the job templates that you have permission to launch.