Merge pull request #14901 from lpichler/join_rbac_for_role_user_and_g…

…roup_to_one_if_branch Join RBAC check for MiqUserRole, User and MiqGroup to one if branch
ManageIQ · May 2, 2017 · b8adc25 · b8adc25
2 parents cae190e + e9b79de
commit b8adc25
Showing 1 changed file with 14 additions and 9 deletions.
diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -443,6 +443,18 @@ def scope_to_cloud_tenant(scope, user, miq_group)
       klass.tenant_joins_clause(scope).where(tenant_id_clause)
     end
 
+    def scope_for_user_role_group(klass, scope, miq_group, user)
+      user_or_group = miq_group || user
+
+      if user_or_group.try!(:self_service?) && MiqUserRole != klass
+        scope.where(:id => klass == User ? user.id : miq_group.id)
+      elsif user_or_group.disallowed_roles
+        scope.with_allowed_roles_for(user_or_group)
+      else
+        scope
+      end
+    end
+
     ##
     # Main scoping method
     #
@@ -470,15 +482,8 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group)
 
         filtered_ids = calc_filtered_ids(associated_class, rbac_filters, user, miq_group, scope_tenant_filter)
         scope_by_parent_ids(associated_class, scope, filtered_ids)
-      elsif klass == User && user.try!(:self_service?)
-        # Self service users searching for users only see themselves
-        scope.where(:id => user.id)
-      elsif klass == MiqGroup && miq_group.try!(:self_service?)
-        # Self Service users searching for groups only see their group
-        scope.where(:id => miq_group.id)
-      elsif [MiqUserRole, MiqGroup, User].include?(klass) && (user_or_group = miq_group || user) &&
-            user_or_group.disallowed_roles
-        scope.with_allowed_roles_for(user_or_group)
+      elsif [MiqUserRole, MiqGroup, User].include?(klass)
+        scope_for_user_role_group(klass, scope, miq_group, user)
       else
         scope
       end