use features to check if a role is an admin role

the role name used to determine if it were https://bugzilla.redhat.com/show_bug.cgi?id=1090627
kbrock · Aug 14, 2018 · 1b470b5 · 1b470b5
1 parent 086d52a
commit 1b470b5
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 16 deletions.
diff --git a/app/models/miq_group.rb b/app/models/miq_group.rb
@@ -58,8 +58,10 @@ def settings=(new_settings)
     super(indifferent_settings)
   end
 
-  def self.with_roles_excluding(disallowed_roles)
-    includes(:miq_user_role).where.not(:miq_user_roles => {:name => disallowed_roles})
+  def self.with_roles_excluding(identifier)
+    where.not(:id => MiqGroup.joins(:miq_product_features)
+                             .where(:miq_product_features => {:identifier => identifier})
+                             .select(:id))
   end
 
   def self.next_sequence

diff --git a/app/models/miq_product_feature.rb b/app/models/miq_product_feature.rb
@@ -1,4 +1,6 @@
 class MiqProductFeature < ApplicationRecord
+  SUPER_ADMIN_FEATURE = "everything".freeze
+  ADMIN_FEATURE       = "miq_report_superadmin".freeze
   acts_as_tree
 
   has_and_belongs_to_many :miq_user_roles, :join_table => :miq_roles_features
@@ -107,7 +109,7 @@ def self.seed_features(path = FIXTURE_PATH)
     features = all.to_a.index_by(&:identifier)
     seen     = seed_from_hash(YAML.load_file(fixture_yaml), seen, nil, features)
 
-    root_feature = MiqProductFeature.find_by(:identifier => 'everything')
+    root_feature = MiqProductFeature.find_by(:identifier => SUPER_ADMIN_FEATURE)
     Dir.glob(path.join("*.yml")).each do |fixture|
       seed_from_hash(YAML.load_file(fixture), seen, root_feature)
     end

diff --git a/app/models/miq_user_role.rb b/app/models/miq_user_role.rb
@@ -1,6 +1,4 @@
 class MiqUserRole < ApplicationRecord
-  SUPER_ADMIN_ROLE_NAME = "EvmRole-super_administrator"
-  ADMIN_ROLE_NAME       = "EvmRole-administrator"
   DEFAULT_TENANT_ROLE_NAME = "EvmRole-tenant_administrator"
 
   has_many                :entitlements, :dependent => :restrict_with_exception
@@ -65,8 +63,10 @@ def limited_self_service?
     (settings || {}).fetch_path(:restrictions, :vms) == :user
   end
 
-  def self.with_roles_excluding(disallowed_roles)
-    where.not(:name => disallowed_roles)
+  def self.with_roles_excluding(identifier)
+    where.not(:id => MiqUserRole.joins(:miq_product_features)
+                                .where(:miq_product_features => {:identifier => identifier})
+                                .select(:id))
   end
 
   def self.seed
@@ -101,11 +101,11 @@ def vm_restriction
   end
 
   def super_admin_user?
-    name == SUPER_ADMIN_ROLE_NAME
+    allows?(:identifier => MiqProductFeature::SUPER_ADMIN_FEATURE)
   end
 
   def admin_user?
-    name == SUPER_ADMIN_ROLE_NAME || name == ADMIN_ROLE_NAME
+    allows_any?(:identifiers => [MiqProductFeature::SUPER_ADMIN_FEATURE, MiqProductFeature::ADMIN_FEATURE])
   end
 
   def self.default_tenant_role

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -25,7 +25,8 @@ class User < ApplicationRecord
   belongs_to :current_group, :class_name => "MiqGroup"
   has_and_belongs_to_many :miq_groups
   scope      :superadmins, lambda {
-    joins(:miq_groups => :miq_user_role).where(:miq_user_roles => {:name => MiqUserRole::SUPER_ADMIN_ROLE_NAME })
+    joins(:miq_groups => {:miq_user_role => :miq_product_features})
+      .where(:miq_product_features => {:identifier => MiqProductFeature::SUPER_ADMIN_FEATURE })
   }
 
   virtual_has_many :active_vms, :class_name => "VmOrTemplate"
@@ -48,8 +49,10 @@ class User < ApplicationRecord
   serialize     :settings, Hash   # Implement settings column as a hash
   default_value_for(:settings) { Hash.new }
 
-  def self.with_roles_excluding(disallowed_roles)
-    includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => disallowed_roles})
+  def self.with_roles_excluding(identifier)
+    where.not(:id => User.joins(:miq_groups => :miq_product_features)
+                             .where(:miq_product_features => {:identifier => identifier})
+                             .select(:id))
   end
 
   def self.scope_by_tenant?

diff --git a/db/fixtures/miq_product_features.yml b/db/fixtures/miq_product_features.yml
@@ -1602,6 +1602,11 @@
     :description: Edit Report Menus Accordion
     :feature_type: node
     :identifier: miq_report_menu_editor
+# Special Admin Functionality
+  - :name: Admin
+    :description: Special Admin Functionality
+    :feature_type: admin
+    :identifier: miq_report_superadmin
   - :name: Import / Export
     :description: Import / Export Accordion
     :feature_type: node

diff --git a/db/fixtures/miq_user_roles.yml b/db/fixtures/miq_user_roles.yml
@@ -70,6 +70,7 @@
   - policy_simulation
   - policy_log
   - miq_report
+  - miq_report_superadmin
   - miq_request
   - miq_template
   - orchestration_stack

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -506,8 +506,9 @@ def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters)
       if user_or_group.try!(:self_service?) && MiqUserRole != klass
         scope.where(:id => klass == User ? user.id : miq_group.id)
       else
-        if user_or_group.miq_user_role_name == 'EvmRole-tenant_administrator'
-          scope = scope.with_roles_excluding(%w(EvmRole-super_administrator EvmRole-administrator))
+        # hide creating admin group / roles from tenant administrators
+        unless user_or_group.miq_user_role&.admin_user?
+          scope = scope.with_roles_excluding([MiqProductFeature::SUPER_ADMIN_FEATURE, MiqProductFeature::ADMIN_FEATURE])
         end
 
         if MiqUserRole != klass

diff --git a/spec/factories/miq_user_role.rb b/spec/factories/miq_user_role.rb
@@ -12,6 +12,7 @@
     name { |ur| ur.role ? "EvmRole-#{ur.role}" : generate(:miq_user_role_name) }
 
     after(:build) do |user, evaluator|
+      e_features = evaluator.features
       if evaluator.role.present?
         @system_roles ||= YAML.load_file(MiqUserRole::FIXTURE_YAML)
         seeded_role = @system_roles.detect { |role| role[:name] == "EvmRole-#{evaluator.role}" }
@@ -20,10 +21,18 @@
           user.read_only = seeded_role[:read_only]
           user.settings = seeded_role[:settings]
         end
+        if e_features.blank?
+          # admins now using a feature instead of a roll
+          if evaluator.role == "super_administrator"
+            e_features = MiqProductFeature::SUPER_ADMIN_FEATURE
+          elsif evaluator.role == "administrator"
+            e_features = MiqProductFeature::ADMIN_FEATURE
+          end
+        end
       end
 
-      if evaluator.features.present?
-        user.miq_product_features = Array.wrap(evaluator.features).map do |f|
+      if e_features.present?
+        user.miq_product_features = Array.wrap(e_features).map do |f|
           if f.kind_of?(MiqProductFeature) # TODO: remove class reference
             f
           else