From 97324fcf46b50da16ad8f94568d5796a01a6407a Mon Sep 17 00:00:00 2001
From: lpichler <lpichler@redhat.com>
Date: Tue, 27 Mar 2018 23:24:00 +0200
Subject: [PATCH] Support ownership scope for MiqRequest model

---
 app/models/miq_request.rb      | 20 ++++++++++++
 lib/rbac/filterer.rb           |  1 +
 spec/lib/rbac/filterer_spec.rb | 56 ++++++++++++++++++++++++++++++++++
 3 files changed, 77 insertions(+)

diff --git a/app/models/miq_request.rb b/app/models/miq_request.rb
index 9ab586d72cd..d5b37c54f76 100644
--- a/app/models/miq_request.rb
+++ b/app/models/miq_request.rb
@@ -130,6 +130,26 @@ def self.with_reason_like(reason)
     joins(:miq_approvals).where("miq_approvals.reason LIKE (?)", "#{reason[:start] ? '%' : ''}#{sanitize_sql_like(reason[:content])}#{reason[:end] ? '%' : ''}")
   end
 
+  def self.user_or_group_owned(user, miq_group)
+    if user && miq_group
+      user_owned(user).or(group_owned(miq_group))
+    elsif user
+      user_owned(user)
+    elsif miq_group
+      group_owned(miq_group)
+    else
+      none
+    end
+  end
+
+  def self.user_owned(user)
+    where(:requester_id => user.id)
+  end
+
+  def self.group_owned(miq_group)
+    where(:requester_id => miq_group.user_ids)
+  end
+
   # Supports old-style requests where specific request was a seperate table connected as a resource
   def resource
     self
diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
index 260e0d358cd..8191c215110 100644
--- a/lib/rbac/filterer.rb
+++ b/lib/rbac/filterer.rb
@@ -129,6 +129,7 @@ class Filterer
     # scope user_or_group_owned is required on target model
     OWNERSHIP_CLASSES = %w(
       OwnershipMixin
+      MiqRequest
     ).freeze
 
     include Vmdb::Logging
diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
index 61141f471e8..9183ecf277f 100644
--- a/spec/lib/rbac/filterer_spec.rb
+++ b/spec/lib/rbac/filterer_spec.rb
@@ -125,6 +125,62 @@ def combine_filtered_ids(user_filtered_ids, belongsto_filtered_ids, managed_filt
   let(:child_openstack_vm) { FactoryGirl.create(:vm_openstack, :tenant => child_tenant, :miq_group => child_group) }
 
   describe ".search" do
+    context 'for MiqRequests' do
+      # MiqRequest for owner group
+      let!(:miq_request_user_owner) { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => owner_user) }
+      # User for owner group
+      let(:user_a)                        { FactoryGirl.create(:user, :miq_groups => [owner_group]) }
+
+      # MiqRequests for other group
+      let!(:miq_request_user_a)     { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => other_user) }
+      let!(:miq_request_user_b)     { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => user_b) }
+
+      # other_group is from owner_tenant
+      let(:other_group)                   { FactoryGirl.create(:miq_group, :tenant => owner_tenant) }
+      # User for other group
+      let(:user_b)                        { FactoryGirl.create(:user, :miq_groups => [other_group]) }
+
+      context "self service user (User or group owned)" do
+        before do
+          allow(other_group).to receive(:self_service?).and_return(true)
+          allow(owner_group).to receive(:self_service?).and_return(true)
+        end
+
+        context 'users are in same tenant as requester' do
+          it "displays requests of user's of group owner_group" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_a).first
+            expect(results).to match_array([miq_request_user_owner])
+          end
+
+          it "displays requests for users of other_user's group (other_group) so also for user_c" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_b).first
+            expect(results).to match_array([miq_request_user_a, miq_request_user_b])
+          end
+        end
+      end
+
+      context "limited self service user (only user owned)" do
+        before do
+          allow(other_group).to receive(:limited_self_service?).and_return(true)
+          allow(other_group).to receive(:self_service?).and_return(true)
+          allow(owner_group).to receive(:limited_self_service?).and_return(true)
+          allow(owner_group).to receive(:self_service?).and_return(true)
+        end
+
+        context 'users are in same tenant as requester' do
+          it "displays requests of user's of group owner_group" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_a).first
+            expect(results).to be_empty
+          end
+
+          it "displays requests for users of other_user's group (other_group) so also for user_c" do
+            results = described_class.search(:class => MiqProvisionRequest, :user => user_b).first
+            expect(results).to match_array([miq_request_user_b])
+          end
+        end
+      end
+    end
+
     context 'with tags' do
       let(:role)         { FactoryGirl.create(:miq_user_role) }
       let(:tagged_group) { FactoryGirl.create(:miq_group, :tenant => Tenant.root_tenant, :miq_user_role => role) }