From 509926c18c78b2aaad256cb2ace59964caa3103e Mon Sep 17 00:00:00 2001
From: Alexander Demichev <ademicev@redhat.com>
Date: Tue, 27 Feb 2018 16:01:18 +0100
Subject: [PATCH] add publicity of images to query

---
 .../providers/cloud_manager/template.rb       |  7 ++++
 spec/lib/rbac/filterer_spec.rb                | 34 +++++++++++++++++++
 .../providers/cloud_manager/template_spec.rb  | 33 +++++++++++++++---
 3 files changed, 69 insertions(+), 5 deletions(-)

diff --git a/app/models/manageiq/providers/cloud_manager/template.rb b/app/models/manageiq/providers/cloud_manager/template.rb
index e58fe78adf75..82cc0b2d9de6 100644
--- a/app/models/manageiq/providers/cloud_manager/template.rb
+++ b/app/models/manageiq/providers/cloud_manager/template.rb
@@ -118,6 +118,13 @@ def validate_unsupported(message_prefix)
      :message   => _("%{message} is not available for %{name}.") % {:message => message_prefix, :name => name}}
   end
 
+  def self.tenant_id_clause(user_or_group)
+    template_tenant_ids = MiqTemplate.accessible_tenant_ids(user_or_group, Rbac.accessible_tenant_ids_strategy(MiqTemplate))
+    return if template_tenant_ids.empty?
+
+    ["(vms.template = true AND (vms.tenant_id IN (?) OR vms.publicly_available = true))", template_tenant_ids]
+  end
+
   private
 
   def raise_created_event
diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
index 85b6a4c64352..a962cfeb299c 100644
--- a/spec/lib/rbac/filterer_spec.rb
+++ b/spec/lib/rbac/filterer_spec.rb
@@ -650,6 +650,40 @@ def combine_filtered_ids(user_filtered_ids, belongsto_filtered_ids, managed_filt
             expect(results).to match_array []
           end
         end
+
+        context "searching CloudTemplate" do
+          let(:group) { FactoryGirl.create(:miq_group, :tenant => default_tenant) } # T1
+          let(:admin_user) { FactoryGirl.create(:user, :role => "super_administrator") }
+          let!(:cloud_template_1) { FactoryGirl.create(:template_cloud, :publicly_available => false) }
+
+          it 'returns all cloud templates when user is admin' do
+            results = described_class.filtered(TemplateCloud, :user => admin_user)
+            expect(results).to match_array(TemplateCloud.all)
+          end
+
+          context "when user is restricted user" do
+            let(:tenant_2) { FactoryGirl.create(:tenant, :parent => default_tenant, :source_type => 'CloudTenant') } # T2
+            let(:group_2) { FactoryGirl.create(:miq_group, :tenant => tenant_2) } # T1
+            let(:user_2) { FactoryGirl.create(:user, :miq_groups => [group_2]) }
+            let(:tenant_3) { FactoryGirl.create(:tenant, :parent => tenant_2) } # T3
+            let!(:public_cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3, :publicly_available => true) }
+
+            context "returns all public cloud templates" do
+              it "" do
+                results = described_class.filtered(TemplateCloud, :user => user_2)
+                expect(results).to match_array([public_cloud_template])
+              end
+            end
+
+            context "ignores private cloud templates" do
+              let!(:private_cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3,  :publicly_available => false) }
+              it "" do
+                results = described_class.filtered(TemplateCloud, :user => user_2)
+                expect(results).to match_array([public_cloud_template])
+              end
+            end
+          end
+        end
       end
 
       context "tenant 0" do
diff --git a/spec/models/manageiq/providers/cloud_manager/template_spec.rb b/spec/models/manageiq/providers/cloud_manager/template_spec.rb
index c502d8779a2a..426ef09c2ad8 100644
--- a/spec/models/manageiq/providers/cloud_manager/template_spec.rb
+++ b/spec/models/manageiq/providers/cloud_manager/template_spec.rb
@@ -1,9 +1,32 @@
 describe TemplateCloud do
-  it "#post_create_actions" do
-    expect(subject).to receive(:reconnect_events)
-    expect(subject).to receive(:classify_with_parent_folder_path)
-    expect(MiqEvent).to receive(:raise_evm_event).with(subject, "vm_template", :vm => subject)
+  describe "actions" do
+    it "#post_create_actions" do
+      expect(subject).to receive(:reconnect_events)
+      expect(subject).to receive(:classify_with_parent_folder_path)
+      expect(MiqEvent).to receive(:raise_evm_event).with(subject, "vm_template", :vm => subject)
 
-    subject.post_create_actions
+      subject.post_create_actions
+    end
+  end
+
+  let(:root_tenant) do
+    Tenant.seed
+  end
+
+  let(:default_tenant) do
+    root_tenant
+    Tenant.default_tenant
+  end
+
+  describe "miq_group" do
+    let(:user)         { FactoryGirl.create(:user, :userid => 'user', :miq_groups => [tenant_group]) }
+    let(:tenant)       { FactoryGirl.build(:tenant, :parent => default_tenant) }
+    let(:tenant_users) { FactoryGirl.create(:miq_user_role, :name => "tenant-users") }
+    let(:tenant_group) { FactoryGirl.create(:miq_group, :miq_user_role => tenant_users, :tenant => tenant) }
+    let(:cloud_template_1) { FactoryGirl.create(:class => "TemplateCloud") }
+
+    it "finds correct tenant id clause for regular tenants" do
+      expect(TemplateCloud.tenant_id_clause(user)).to eql ["(vms.template = true AND (vms.tenant_id IN (?) OR vms.publicly_available = true))", [default_tenant.id, tenant.id]]
+    end
   end
 end