move disallowed_roles calculation to rbac

ManageIQ · May 9, 2018 · c51accd · c51accd
1 parent bf52707
commit c51accd
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 20 deletions.
diff --git a/app/models/miq_group.rb b/app/models/miq_group.rb
@@ -15,11 +15,11 @@ class MiqGroup < ApplicationRecord
   has_many   :miq_widget_sets, :as => :owner, :dependent => :destroy
   has_many   :miq_product_features, :through => :miq_user_role
 
-  virtual_column :miq_user_role_name, :type => :string,  :uses => :miq_user_role
+  virtual_delegate :name, :to => :miq_user_role, :allow_nil => true, :prefix => true
   virtual_column :read_only,          :type => :boolean
   virtual_has_one :sui_product_features, :class_name => "Array"
 
-  delegate :self_service?, :limited_self_service?, :disallowed_roles, :to => :miq_user_role, :allow_nil => true
+  delegate :self_service?, :limited_self_service?, :to => :miq_user_role, :allow_nil => true
 
   validates :description, :presence => true, :unique_within_region => { :match_case => false }
   validate :validate_default_tenant, :on => :update, :if => :tenant_id_changed?
@@ -60,8 +60,12 @@ def settings=(new_settings)
     super(indifferent_settings)
   end
 
-  def self.with_allowed_roles_for(user_or_group)
-    includes(:miq_user_role).where.not({:miq_user_roles => {:name => user_or_group.disallowed_roles}})
+  def self.with_roles_excluding(disallowed_roles)
+    if disallowed_roles
+      includes(:miq_user_role).where.not({:miq_user_roles => {:name => disallowed_roles}})
+    else
+      includes(:miq_user_role)
+    end
   end
 
   def self.next_sequence
@@ -183,10 +187,6 @@ def get_belongsto_filters
     entitlement.try(:get_belongsto_filters) || []
   end
 
-  def miq_user_role_name
-    miq_user_role.try(:name)
-  end
-
   def system_group?
     group_type == SYSTEM_GROUP
   end

diff --git a/app/models/miq_user_role.rb b/app/models/miq_user_role.rb
@@ -64,12 +64,8 @@ def limited_self_service?
     (settings || {}).fetch_path(:restrictions, :vms) == :user
   end
 
-  def disallowed_roles
-    !super_admin_user? && Rbac::Filterer::DISALLOWED_ROLES_FOR_USER_ROLE[name]
-  end
-
-  def self.with_allowed_roles_for(user_or_group)
-    where.not(:name => user_or_group.disallowed_roles)
+  def self.with_roles_excluding(disallowed_roles)
+    disallowed_roles ? where.not(:name => disallowed_roles) : all
   end
 
   def self.seed

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -32,7 +32,7 @@ class User < ApplicationRecord
 
   delegate   :miq_user_role, :current_tenant, :get_filters, :has_filters?, :get_managed_filters, :get_belongsto_filters,
              :to => :current_group, :allow_nil => true
-  delegate   :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?, :disallowed_roles,
+  delegate   :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?,
              :to => :miq_user_role, :allow_nil => true
 
   validates_presence_of   :name, :userid
@@ -50,8 +50,12 @@ class User < ApplicationRecord
 
   scope :with_same_userid, ->(id) { where(:userid => User.find(id).userid) }
 
-  def self.with_allowed_roles_for(user_or_group)
-    includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => user_or_group.disallowed_roles})
+  def self.with_roles_excluding(disallowed_roles)
+    if disallowed_roles
+      includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => disallowed_roles})
+    else
+      includes(:miq_groups => :miq_user_role)
+    end
   end
 
   def self.scope_by_tenant?

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -164,7 +164,7 @@ def self.accessible_tenant_ids_strategy(klass)
     # @option options :where_clause  []
     # @option options :sub_filter
     # @option options :include_for_find [Array<Symbol>]
-    # @option options :filter
+    # @option options :filter       [MiqExpression] (optional)
 
     # @option options :user         [User]     (default: current_user)
     # @option options :userid       [String]   User#userid (not user_id)
@@ -513,8 +513,9 @@ def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters)
       if user_or_group.try!(:self_service?) && MiqUserRole != klass
         scope.where(:id => klass == User ? user.id : miq_group.id)
       else
-        if user_or_group.disallowed_roles
-          scope = scope.with_allowed_roles_for(user_or_group)
+        if !user_or_group.miq_user_role.super_admin_user? &&
+           (disallowed_roles = DISALLOWED_ROLES_FOR_USER_ROLE[user_or_group.miq_user_role_name])
+          scope = scope.with_roles_excluding(disallowed_roles)
         end
 
         if MiqUserRole != klass