diff --git a/app/models/miq_group.rb b/app/models/miq_group.rb index ed9a11f4087d..c6401c29bb1a 100644 --- a/app/models/miq_group.rb +++ b/app/models/miq_group.rb @@ -15,11 +15,11 @@ class MiqGroup < ApplicationRecord has_many :miq_widget_sets, :as => :owner, :dependent => :destroy has_many :miq_product_features, :through => :miq_user_role - virtual_column :miq_user_role_name, :type => :string, :uses => :miq_user_role + virtual_delegate :name, :to => :miq_user_role, :allow_nil => true, :prefix => true virtual_column :read_only, :type => :boolean virtual_has_one :sui_product_features, :class_name => "Array" - delegate :self_service?, :limited_self_service?, :disallowed_roles, :to => :miq_user_role, :allow_nil => true + delegate :self_service?, :limited_self_service?, :to => :miq_user_role, :allow_nil => true validates :description, :presence => true, :unique_within_region => { :match_case => false } validate :validate_default_tenant, :on => :update, :if => :tenant_id_changed? @@ -60,8 +60,12 @@ def settings=(new_settings) super(indifferent_settings) end - def self.with_allowed_roles_for(user_or_group) - includes(:miq_user_role).where.not({:miq_user_roles => {:name => user_or_group.disallowed_roles}}) + def self.with_roles_excluding(disallowed_roles) + if disallowed_roles + includes(:miq_user_role).where.not({:miq_user_roles => {:name => disallowed_roles}}) + else + includes(:miq_user_role) + end end def self.next_sequence @@ -183,10 +187,6 @@ def get_belongsto_filters entitlement.try(:get_belongsto_filters) || [] end - def miq_user_role_name - miq_user_role.try(:name) - end - def system_group? group_type == SYSTEM_GROUP end diff --git a/app/models/miq_user_role.rb b/app/models/miq_user_role.rb index 3a57e59ca27a..e73ff081cdc7 100644 --- a/app/models/miq_user_role.rb +++ b/app/models/miq_user_role.rb @@ -64,12 +64,8 @@ def limited_self_service? (settings || {}).fetch_path(:restrictions, :vms) == :user end - def disallowed_roles - !super_admin_user? && Rbac::Filterer::DISALLOWED_ROLES_FOR_USER_ROLE[name] - end - - def self.with_allowed_roles_for(user_or_group) - where.not(:name => user_or_group.disallowed_roles) + def self.with_roles_excluding(disallowed_roles) + disallowed_roles ? where.not(:name => disallowed_roles) : all end def self.seed diff --git a/app/models/user.rb b/app/models/user.rb index f1965517d9d6..6652c6b16f25 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -32,7 +32,7 @@ class User < ApplicationRecord delegate :miq_user_role, :current_tenant, :get_filters, :has_filters?, :get_managed_filters, :get_belongsto_filters, :to => :current_group, :allow_nil => true - delegate :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?, :disallowed_roles, + delegate :super_admin_user?, :admin_user?, :self_service?, :limited_self_service?, :to => :miq_user_role, :allow_nil => true validates_presence_of :name, :userid @@ -50,8 +50,12 @@ class User < ApplicationRecord scope :with_same_userid, ->(id) { where(:userid => User.find(id).userid) } - def self.with_allowed_roles_for(user_or_group) - includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => user_or_group.disallowed_roles}) + def self.with_roles_excluding(disallowed_roles) + if disallowed_roles + includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => disallowed_roles}) + else + includes(:miq_groups => :miq_user_role) + end end def self.scope_by_tenant? diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb index 442fc2ea0853..8e9c4fc6fe4c 100644 --- a/lib/rbac/filterer.rb +++ b/lib/rbac/filterer.rb @@ -164,7 +164,7 @@ def self.accessible_tenant_ids_strategy(klass) # @option options :where_clause [] # @option options :sub_filter # @option options :include_for_find [Array] - # @option options :filter + # @option options :filter [MiqExpression] (optional) # @option options :user [User] (default: current_user) # @option options :userid [String] User#userid (not user_id) @@ -513,8 +513,9 @@ def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters) if user_or_group.try!(:self_service?) && MiqUserRole != klass scope.where(:id => klass == User ? user.id : miq_group.id) else - if user_or_group.disallowed_roles - scope = scope.with_allowed_roles_for(user_or_group) + if !user_or_group.miq_user_role.super_admin_user? && + (disallowed_roles = DISALLOWED_ROLES_FOR_USER_ROLE[user_or_group.miq_user_role_name]) + scope = scope.with_roles_excluding(disallowed_roles) end if MiqUserRole != klass