From d4481688e06d35e0f2220b6f1d19d0a1eb036597 Mon Sep 17 00:00:00 2001
From: Brandon Dunne <brandondunne@hotmail.com>
Date: Mon, 12 Nov 2018 15:04:44 -0500
Subject: [PATCH] Merge pull request #18179 from
 gtanzillo/fix-dynamic-product-features

Authorize user with non-dynamic product feature if included in user's role

(cherry picked from commit f489784b0917a30aa810772b3888bb9dac9cec0c)

https://bugzilla.redhat.com/show_bug.cgi?id=1468795
---
 app/models/miq_product_feature.rb |  2 +-
 lib/rbac/authorizer.rb            |  4 +++-
 spec/models/miq_user_role_spec.rb | 19 +++++++++++++++----
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/app/models/miq_product_feature.rb b/app/models/miq_product_feature.rb
index 92e0e01c4f2..664467b65b6 100644
--- a/app/models/miq_product_feature.rb
+++ b/app/models/miq_product_feature.rb
@@ -52,7 +52,7 @@ def self.root_tenant_identifier?(identifier)
   end
 
   def self.current_tenant_identifier(identifier)
-    identifier && feature_details(identifier) && root_tenant_identifier?(identifier) ? tenant_identifier(identifier, User.current_tenant.id) : identifier
+    tenant_identifier(identifier, User.current_tenant.id) if identifier && feature_details(identifier) && root_tenant_identifier?(identifier)
   end
 
   def self.feature_yaml(path = FIXTURE_PATH)
diff --git a/lib/rbac/authorizer.rb b/lib/rbac/authorizer.rb
index 06c8950175f..757f7c514d8 100644
--- a/lib/rbac/authorizer.rb
+++ b/lib/rbac/authorizer.rb
@@ -22,10 +22,12 @@ def role_allows?(options = {})
 
       any     = options[:any]
 
-      identifier = MiqProductFeature.current_tenant_identifier(identifier)
+      tenant_identifier = MiqProductFeature.current_tenant_identifier(identifier)
 
       auth = if any.present?
                user_role_allows_any?(user, :identifiers => (identifiers || [identifier]))
+             elsif tenant_identifier
+               [identifier, tenant_identifier].any? { |i| user_role_allows?(user, :identifier => i) }
              else
                user_role_allows?(user, :identifier => identifier)
              end
diff --git a/spec/models/miq_user_role_spec.rb b/spec/models/miq_user_role_spec.rb
index 440462e3f5c..2731851a2b7 100644
--- a/spec/models/miq_user_role_spec.rb
+++ b/spec/models/miq_user_role_spec.rb
@@ -81,26 +81,37 @@
       let!(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) }
       let!(:tenant_2) { FactoryGirl.create(:tenant, :parent => root_tenant) }
 
-      let(:feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor_tenant_#{tenant_2.id}", "rbac_tenant_manage_quotas_tenant_#{tenant_2.id}"]) }
-      let(:role)           { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) }
+      let(:feature)             { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor_tenant_#{tenant_2.id}", "rbac_tenant_manage_quotas_tenant_#{tenant_2.id}"]) }
+      let(:non_dynamic_feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor", "rbac_tenant_manage_quotas"]) }
+      let(:role)            { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) }
+      let(:role_no_dynamic) { FactoryGirl.create(:miq_user_role, :miq_product_features => non_dynamic_feature) }
       let(:group_tenant_1) { FactoryGirl.create(:miq_group, :miq_user_role => role, :tenant => tenant_1) }
       let(:group_tenant_2) { FactoryGirl.create(:miq_group, :miq_user_role => role, :tenant => tenant_2) }
+      let(:group_3)        { FactoryGirl.create(:miq_group, :miq_user_role => role_no_dynamic, :tenant => tenant_2) }
       let!(:user_1) { FactoryGirl.create(:user, :userid => "user_1", :miq_groups => [group_tenant_1]) }
       let!(:user_2) { FactoryGirl.create(:user, :userid => "user_2", :miq_groups => [group_tenant_2]) }
+      let!(:user_3) { FactoryGirl.create(:user, :userid => "user_3", :miq_groups => [group_3]) }
 
-      it "doesn't authorise user without dynamic product feature" do
+      it "doesn't authorize user without dynamic product feature" do
         User.with_user(user_1) do
           expect(user_1.role_allows?(:identifier => "dialog_edit_editor")).to be_falsey
           expect(user_1.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_falsey
         end
       end
 
-      it "authorise user with dynamic product feature" do
+      it "authorize user with dynamic product feature" do
         User.with_user(user_2) do
           expect(user_2.role_allows?(:identifier => "dialog_edit_editor")).to be_truthy
           expect(user_2.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_truthy
         end
       end
+
+      it "authorize user with non-dynamic product feature" do
+        User.with_user(user_3) do
+          expect(user_3.role_allows?(:identifier => "dialog_edit_editor")).to be_truthy
+          expect(user_3.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_truthy
+        end
+      end
     end
 
     it "should return the correct answer calling allows? when requested feature is directly assigned or a descendant of a feature in a role" do