Check if class is taggable before attempting to process tag expression

This eliminates an error being raised when a tag expression was used in RBAC and is
applied to a class that is not taggable

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1641012

lib/rbac/filterer.rb

@@ -489,9 +489,9 @@ def get_belongsto_filter_object_ids(klass, filter)
     end
 
     def get_managed_filter_object_ids(scope, filter)
-      return scope.where(filter.to_sql.first) if filter.kind_of?(MiqExpression)
       klass = scope.respond_to?(:klass) ? scope.klass : scope
       return nil if !TAGGABLE_FILTER_CLASSES.include?(safe_base_class(klass).name) || filter.blank?
+      return scope.where(filter.to_sql.first) if filter.kind_of?(MiqExpression)
       scope.find_tags_by_grouping(filter, :ns => '*').reorder(nil)
     end
 

spec/lib/rbac/filterer_spec.rb

@@ -39,6 +39,24 @@
       expect(actual).to match(expected)
     end
 
+    it "doesn't filter by tags on classes that are not taggable" do
+      filter = MiqExpression.new(
+        "AND" => [
+          {"CONTAINS" => {"tag" => "managed-environment", "value" => "prod"}},
+          {"CONTAINS" => {"tag" => "managed-environment", "value" => "test"}}
+        ]
+      )
+      group = create_group_with_expression(filter)
+      user = FactoryGirl.create(:user, :miq_groups => [group])
+      request = FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => user)
+
+      actual, = Rbac::Filterer.search(:targets => MiqProvisionRequest, :user => user)
+
+      expect(request.class.include?(ActsAsTaggable)).to be_falsey
+      expected = [request]
+      expect(actual).to match(expected)
+    end
+
     def create_group_with_expression(expression)
       role = FactoryGirl.create(:miq_user_role)
       group = FactoryGirl.create(:miq_group, :tenant => Tenant.root_tenant, :miq_user_role => role)