diff --git a/app/models/user.rb b/app/models/user.rb index 0ea4fe2c832..232ba7f5d3f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -47,6 +47,10 @@ class User < ApplicationRecord serialize :settings, Hash # Implement settings column as a hash default_value_for(:settings) { Hash.new } + def self.with_allowed_roles_for(user_or_group) + includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => user_or_group.disallowed_roles}) + end + def self.scope_by_tenant? true end diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb index 7af0d83a40a..130873c15c7 100644 --- a/lib/rbac/filterer.rb +++ b/lib/rbac/filterer.rb @@ -476,7 +476,7 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group) elsif klass == MiqGroup && miq_group.try!(:self_service?) # Self Service users searching for groups only see their group scope.where(:id => miq_group.id) - elsif [MiqUserRole, MiqGroup].include?(klass) && (user_or_group = miq_group || user) && + elsif [MiqUserRole, MiqGroup, User].include?(klass) && (user_or_group = miq_group || user) && user_or_group.disallowed_roles scope.with_allowed_roles_for(user_or_group) else diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb index db164d3063a..528ec941296 100644 --- a/spec/lib/rbac/filterer_spec.rb +++ b/spec/lib/rbac/filterer_spec.rb @@ -417,6 +417,17 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects) expect(MiqUserRole.count).to eq(3) get_rbac_results_for_and_expect_objects(MiqGroup, [group]) end + + let(:super_admin_group) do + FactoryGirl.create(:miq_group, :tenant => default_tenant, :miq_user_role => super_administrator_user_role) + end + + let!(:super_admin_user) { FactoryGirl.create(:user, :miq_groups => [super_admin_group]) } + + it 'can see all users expect to user with group with role EvmRole-super_administrator' do + expect(User.count).to eq(2) + get_rbac_results_for_and_expect_objects(User, [user]) + end end end