Allow tenant admins to see all groups within the scope of their tenant

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596639 Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596266
ManageIQ · Aug 3, 2018 · 8934759 · 8934759
1 parent 2f61692
commit 8934759
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -514,15 +514,16 @@ def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters)
  if user_or_group.try!(:self_service?) && MiqUserRole != klass
  scope.where(:id => klass == User ? user.id : miq_group.id)
  else
+ role = user_or_group.miq_user_role
  # hide creating admin group / roles from non-super administrators
- unless user_or_group.miq_user_role&.super_admin_user?
+ unless role&.super_admin_user?
  scope = scope.with_roles_excluding(MiqProductFeature::SUPER_ADMIN_FEATURE)
  end
 
  if MiqUserRole != klass
  filtered_ids = pluck_ids(get_managed_filter_object_ids(scope, managed_filters))
- # Non admins can only see their own groups
- scope = scope.with_groups(user.miq_group_ids) unless user_or_group.miq_user_role&.super_admin_user?
+ # Non tenant admins can only see their own groups. Note - a super admin is also a tenant admin
+ scope = scope.with_groups(user.miq_group_ids) unless role&.tenant_admin_user?
  end
 
  scope_by_ids(scope, filtered_ids)