Support ownership scope for MiqRequest model

ManageIQ · Mar 28, 2018 · 97324fc · 97324fc
1 parent bb98fea
commit 97324fc
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 0 deletions.
diff --git a/app/models/miq_request.rb b/app/models/miq_request.rb
@@ -130,6 +130,26 @@ def self.with_reason_like(reason)
     joins(:miq_approvals).where("miq_approvals.reason LIKE (?)", "#{reason[:start] ? '%' : ''}#{sanitize_sql_like(reason[:content])}#{reason[:end] ? '%' : ''}")
   end
 
+  def self.user_or_group_owned(user, miq_group)
+    if user && miq_group
+      user_owned(user).or(group_owned(miq_group))
+    elsif user
+      user_owned(user)
+    elsif miq_group
+      group_owned(miq_group)
+    else
+      none
+    end
+  end
+
+  def self.user_owned(user)
+    where(:requester_id => user.id)
+  end
+
+  def self.group_owned(miq_group)
+    where(:requester_id => miq_group.user_ids)
+  end
+
   # Supports old-style requests where specific request was a seperate table connected as a resource
   def resource
     self

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -129,6 +129,7 @@ class Filterer
     # scope user_or_group_owned is required on target model
     OWNERSHIP_CLASSES = %w(
       OwnershipMixin
+      MiqRequest
     ).freeze
 
     include Vmdb::Logging

diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
@@ -125,6 +125,62 @@ def combine_filtered_ids(user_filtered_ids, belongsto_filtered_ids, managed_filt
   let(:child_openstack_vm) { FactoryGirl.create(:vm_openstack, :tenant => child_tenant, :miq_group => child_group) }
 
   describe ".search" do
+    context 'for MiqRequests' do
+      # MiqRequest for owner group
+      let!(:miq_request_user_owner) { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => owner_user) }
+      # User for owner group
+      let(:user_a)                        { FactoryGirl.create(:user, :miq_groups => [owner_group]) }
+
+      # MiqRequests for other group
+      let!(:miq_request_user_a)     { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => other_user) }
+      let!(:miq_request_user_b)     { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => user_b) }
+
+      # other_group is from owner_tenant
+      let(:other_group)                   { FactoryGirl.create(:miq_group, :tenant => owner_tenant) }
+      # User for other group
+      let(:user_b)                        { FactoryGirl.create(:user, :miq_groups => [other_group]) }
+
+      context "self service user (User or group owned)" do
+        before do
+          allow(other_group).to receive(:self_service?).and_return(true)
+          allow(owner_group).to receive(:self_service?).and_return(true)
+        end
+
+        context 'users are in same tenant as requester' do
+          it "displays requests of user's of group owner_group" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_a).first
+            expect(results).to match_array([miq_request_user_owner])
+          end
+
+          it "displays requests for users of other_user's group (other_group) so also for user_c" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_b).first
+            expect(results).to match_array([miq_request_user_a, miq_request_user_b])
+          end
+        end
+      end
+
+      context "limited self service user (only user owned)" do
+        before do
+          allow(other_group).to receive(:limited_self_service?).and_return(true)
+          allow(other_group).to receive(:self_service?).and_return(true)
+          allow(owner_group).to receive(:limited_self_service?).and_return(true)
+          allow(owner_group).to receive(:self_service?).and_return(true)
+        end
+
+        context 'users are in same tenant as requester' do
+          it "displays requests of user's of group owner_group" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_a).first
+            expect(results).to be_empty
+          end
+
+          it "displays requests for users of other_user's group (other_group) so also for user_c" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_b).first
+            expect(results).to match_array([miq_request_user_b])
+          end
+        end
+      end
+    end
+
     context 'with tags' do
       let(:role)         { FactoryGirl.create(:miq_user_role) }
       let(:tagged_group) { FactoryGirl.create(:miq_group, :tenant => Tenant.root_tenant, :miq_user_role => role) }