From 6a795af70992bc47b6223ca3c167fab3d3b610fb Mon Sep 17 00:00:00 2001 From: lpichler Date: Wed, 26 Apr 2017 16:09:33 +0200 Subject: [PATCH 1/3] =?UTF-8?q?Add=20scope=20for=20allowed=20user=E2=80=99?= =?UTF-8?q?s=20role?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/models/user.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app/models/user.rb b/app/models/user.rb index 0ea4fe2c832..232ba7f5d3f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -47,6 +47,10 @@ class User < ApplicationRecord serialize :settings, Hash # Implement settings column as a hash default_value_for(:settings) { Hash.new } + def self.with_allowed_roles_for(user_or_group) + includes(:miq_groups => :miq_user_role).where.not(:miq_user_roles => {:name => user_or_group.disallowed_roles}) + end + def self.scope_by_tenant? true end From 9a0d0def4da9b1c4de916425efc9a1f2e27ac1b6 Mon Sep 17 00:00:00 2001 From: lpichler Date: Wed, 26 Apr 2017 16:10:08 +0200 Subject: [PATCH 2/3] Enable control by roles for User model in RBAC --- lib/rbac/filterer.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb index 7af0d83a40a..130873c15c7 100644 --- a/lib/rbac/filterer.rb +++ b/lib/rbac/filterer.rb @@ -476,7 +476,7 @@ def scope_targets(klass, scope, rbac_filters, user, miq_group) elsif klass == MiqGroup && miq_group.try!(:self_service?) # Self Service users searching for groups only see their group scope.where(:id => miq_group.id) - elsif [MiqUserRole, MiqGroup].include?(klass) && (user_or_group = miq_group || user) && + elsif [MiqUserRole, MiqGroup, User].include?(klass) && (user_or_group = miq_group || user) && user_or_group.disallowed_roles scope.with_allowed_roles_for(user_or_group) else From 04815891af917cb2470e60f55224299640afd819 Mon Sep 17 00:00:00 2001 From: lpichler Date: Wed, 26 Apr 2017 16:11:11 +0200 Subject: [PATCH 3/3] Specs to ensure that user are listed only with allowed role --- spec/lib/rbac/filterer_spec.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/spec/lib/rbac/filterer_spec.rb b/spec/lib/rbac/filterer_spec.rb index 4fcfa31c4d7..aba05dd280d 100644 --- a/spec/lib/rbac/filterer_spec.rb +++ b/spec/lib/rbac/filterer_spec.rb @@ -417,6 +417,17 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects) expect(MiqUserRole.count).to eq(3) get_rbac_results_for_and_expect_objects(MiqGroup, [group]) end + + let(:super_admin_group) do + FactoryGirl.create(:miq_group, :tenant => default_tenant, :miq_user_role => super_administrator_user_role) + end + + let!(:super_admin_user) { FactoryGirl.create(:user, :miq_groups => [super_admin_group]) } + + it 'can see all users expect to user with group with role EvmRole-super_administrator' do + expect(User.count).to eq(2) + get_rbac_results_for_and_expect_objects(User, [user]) + end end end