User#with_current_user_groups -> with_groups

move hardcoded admin logic over to rbac
ManageIQ · May 29, 2018 · fd13a8a · fd13a8a
1 parent 83ad831
commit fd13a8a
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/app/models/miq_group.rb b/app/models/miq_group.rb
@@ -247,9 +247,9 @@ def self.non_tenant_groups_in_my_region
  in_my_region.non_tenant_groups
  end
 
- def self.with_current_user_groups(user = nil)
-  current_user = user || User.current_user
- current_user.admin_user? ? all : where(:id => current_user.miq_group_ids)
+ # parallel to User.with_groups - only show these groups
+ def self.with_groups(miq_group_ids)
+ where(:id => miq_group_ids)
  end
 
  def single_group_users?

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -285,9 +285,9 @@ def self.current_user
  Thread.current[:user] ||= find_by_userid(current_userid)
  end
 
- def self.with_current_user_groups(user = nil)
-  user ||= current_user
- user.admin_user? ? all : includes(:miq_groups).where(:miq_groups => {:id => user.miq_group_ids})
+ # parallel to MiqGroup.with_groups - only show users with these groups
+ def self.with_groups(miq_group_ids)
+ includes(:miq_groups).where(:miq_groups => {:id => miq_group_ids})
  end
 
  def self.missing_user_features(db_user)

diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb
@@ -520,7 +520,8 @@ def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters)
 
  if MiqUserRole != klass
  filtered_ids = pluck_ids(get_managed_filter_object_ids(scope, managed_filters))
- scope = scope.with_current_user_groups(user)
+ # Non admins can only see their own groups
+ scope = scope.with_groups(user.miq_group_ids) unless user_or_group.miq_user_role&.admin_user?
  end
 
  scope_by_ids(scope, filtered_ids)