Skip to content

Commit

Permalink
Restrict MiqRequest by user's group
Browse files Browse the repository at this point in the history
  • Loading branch information
lpichler committed Mar 27, 2018
1 parent cd1068f commit 2f8885a
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
3 changes: 3 additions & 0 deletions lib/rbac/filterer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ class Filterer
MiddlewareMessaging
MiddlewareServer
MiddlewareServerGroup
MiqRequest
NetworkPort
NetworkRouter
OrchestrationStack
Expand Down Expand Up @@ -352,6 +353,8 @@ def pluck_ids(targets)
end

def get_self_service_objects(user, miq_group, klass)
return klass.where(:requester_id => miq_group.user_ids) if klass < MiqRequest && miq_group.present?

return nil if miq_group.nil? || !miq_group.self_service? || !(klass < OwnershipMixin)

# for limited_self_service, use user's resources, not user.current_group's resources
Expand Down
19 changes: 19 additions & 0 deletions spec/lib/rbac/filterer_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,25 @@ def combine_filtered_ids(user_filtered_ids, belongsto_filtered_ids, managed_filt
let(:child_openstack_vm) { FactoryGirl.create(:vm_openstack, :tenant => child_tenant, :miq_group => child_group) }

describe ".search" do
context 'for MiqRequests' do
let!(:miq_request_user_owner) { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => owner_user) }
let!(:user_b) { FactoryGirl.create(:user, :miq_groups => [other_group]) }

context 'user is in different group but in same tenant as requester' do
it "doesn't display requests for user_b because he is not in same group" do
results = described_class.search(:class => MiqProvisionRequest, :user => user_b).first
expect(results).to be_empty
end

let(:user_c) { FactoryGirl.create(:user, :miq_groups => [owner_group]) }

it "displays requests for user_c because he is in same group" do
results = described_class.search(:class => MiqProvisionRequest, :user => owner_user).first
expect(results).to match_array([miq_request_user_owner])
end
end
end

context 'with tags' do
let(:role) { FactoryGirl.create(:miq_user_role) }
let(:tagged_group) { FactoryGirl.create(:miq_group, :tenant => Tenant.root_tenant, :miq_user_role => role) }
Expand Down

0 comments on commit 2f8885a

Please sign in to comment.