From 2f8885a78c467a3223767faea66754cf7d8e5701 Mon Sep 17 00:00:00 2001
From: lpichler <lpichler@redhat.com>
Date: Tue, 27 Mar 2018 15:18:31 +0200
Subject: [PATCH] Restrict MiqRequest by user's group

---
 lib/rbac/filterer.rb           |  3 +++
 spec/lib/rbac/filterer_spec.rb | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
index d5ad0e563867..baec97f717f1 100644
--- a/lib/rbac/filterer.rb
+++ b/lib/rbac/filterer.rb
@@ -41,6 +41,7 @@ class Filterer
       MiddlewareMessaging
       MiddlewareServer
       MiddlewareServerGroup
+      MiqRequest
       NetworkPort
       NetworkRouter
       OrchestrationStack
@@ -352,6 +353,8 @@ def pluck_ids(targets)
     end
 
     def get_self_service_objects(user, miq_group, klass)
+      return klass.where(:requester_id => miq_group.user_ids) if klass < MiqRequest && miq_group.present?
+
       return nil if miq_group.nil? || !miq_group.self_service? || !(klass < OwnershipMixin)
 
       # for limited_self_service, use user's resources, not user.current_group's resources
diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb
index 61141f471e8e..2e4380fb4e5b 100644
--- a/spec/lib/rbac/filterer_spec.rb
+++ b/spec/lib/rbac/filterer_spec.rb
@@ -125,6 +125,25 @@ def combine_filtered_ids(user_filtered_ids, belongsto_filtered_ids, managed_filt
   let(:child_openstack_vm) { FactoryGirl.create(:vm_openstack, :tenant => child_tenant, :miq_group => child_group) }
 
   describe ".search" do
+    context 'for MiqRequests' do
+      let!(:miq_request_user_owner) { FactoryGirl.create(:miq_provision_request, :tenant => owner_tenant, :requester => owner_user) }
+      let!(:user_b)                 { FactoryGirl.create(:user, :miq_groups => [other_group]) }
+
+      context 'user is in different group but in same tenant as requester' do
+        it "doesn't display requests for user_b because he is not in same group" do
+          results = described_class.search(:class => MiqProvisionRequest, :user => user_b).first
+          expect(results).to be_empty
+        end
+
+        let(:user_c) { FactoryGirl.create(:user, :miq_groups => [owner_group]) }
+
+        it "displays requests for user_c because he is in same group" do
+          results = described_class.search(:class => MiqProvisionRequest, :user => owner_user).first
+          expect(results).to match_array([miq_request_user_owner])
+        end
+      end
+    end
+
     context 'with tags' do
       let(:role)         { FactoryGirl.create(:miq_user_role) }
       let(:tagged_group) { FactoryGirl.create(:miq_group, :tenant => Tenant.root_tenant, :miq_user_role => role) }