Skip to content

Commit

Permalink
Merge pull request #14898 from lpichler/rbac_for_user_model_by_role
Browse files Browse the repository at this point in the history
RBAC for User model regard to allowed role
(cherry picked from commit 5697c1c)

https://bugzilla.redhat.com/show_bug.cgi?id=1447373
  • Loading branch information
isimluk authored and simaishi committed May 2, 2017
1 parent 4db8b42 commit 7d6e53f
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
4 changes: 4 additions & 0 deletions app/models/user.rb
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ class User < ApplicationRecord
serialize :settings, Hash # Implement settings column as a hash
default_value_for(:settings) { Hash.new }

def self.with_allowed_roles_for(user_or_group)
includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => user_or_group.disallowed_roles})
end

def self.scope_by_tenant?
true
end
Expand Down
2 changes: 1 addition & 1 deletion lib/rbac/filterer.rb
Original file line number Diff line number Diff line change
Expand Up @@ -476,7 +476,7 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
elsif klass == MiqGroup && miq_group.try!(:self_service?)
# Self Service users searching for groups only see their group
scope.where(:id => miq_group.id)
elsif [MiqUserRole, MiqGroup].include?(klass) && (user_or_group = miq_group || user) &&
elsif [MiqUserRole, MiqGroup, User].include?(klass) && (user_or_group = miq_group || user) &&
user_or_group.disallowed_roles
scope.with_allowed_roles_for(user_or_group)
else
Expand Down
11 changes: 11 additions & 0 deletions spec/lib/rbac/filterer_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,17 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects)
expect(MiqUserRole.count).to eq(3)
get_rbac_results_for_and_expect_objects(MiqGroup, [group])
end

let(:super_admin_group) do
FactoryGirl.create(:miq_group, :tenant => default_tenant, :miq_user_role => super_administrator_user_role)
end

let!(:super_admin_user) { FactoryGirl.create(:user, :miq_groups => [super_admin_group]) }

it 'can see all users expect to user with group with role EvmRole-super_administrator' do
expect(User.count).to eq(2)
get_rbac_results_for_and_expect_objects(User, [user])
end
end
end

Expand Down

0 comments on commit 7d6e53f

Please sign in to comment.