From fd13a8ab7920ebceb19f2cc565c82f7d8542f422 Mon Sep 17 00:00:00 2001 From: Keenan Brock Date: Thu, 10 May 2018 13:27:09 -0400 Subject: [PATCH] User#with_current_user_groups -> with_groups move hardcoded admin logic over to rbac --- app/models/miq_group.rb | 6 +++--- app/models/user.rb | 6 +++--- lib/rbac/filterer.rb | 3 ++- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/app/models/miq_group.rb b/app/models/miq_group.rb index 509b5cc86c0..bceaf376d7e 100644 --- a/app/models/miq_group.rb +++ b/app/models/miq_group.rb @@ -247,9 +247,9 @@ def self.non_tenant_groups_in_my_region in_my_region.non_tenant_groups end - def self.with_current_user_groups(user = nil) - current_user = user || User.current_user - current_user.admin_user? ? all : where(:id => current_user.miq_group_ids) + # parallel to User.with_groups - only show these groups + def self.with_groups(miq_group_ids) + where(:id => miq_group_ids) end def single_group_users? diff --git a/app/models/user.rb b/app/models/user.rb index 20e73590e39..6abd61852f9 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -285,9 +285,9 @@ def self.current_user Thread.current[:user] ||= find_by_userid(current_userid) end - def self.with_current_user_groups(user = nil) - user ||= current_user - user.admin_user? ? all : includes(:miq_groups).where(:miq_groups => {:id => user.miq_group_ids}) + # parallel to MiqGroup.with_groups - only show users with these groups + def self.with_groups(miq_group_ids) + includes(:miq_groups).where(:miq_groups => {:id => miq_group_ids}) end def self.missing_user_features(db_user) diff --git a/lib/rbac/filterer.rb b/lib/rbac/filterer.rb index fe093bbcf5e..a5f9a50c364 100644 --- a/lib/rbac/filterer.rb +++ b/lib/rbac/filterer.rb @@ -520,7 +520,8 @@ def scope_for_user_role_group(klass, scope, miq_group, user, managed_filters) if MiqUserRole != klass filtered_ids = pluck_ids(get_managed_filter_object_ids(scope, managed_filters)) - scope = scope.with_current_user_groups(user) + # Non admins can only see their own groups + scope = scope.with_groups(user.miq_group_ids) unless user_or_group.miq_user_role&.admin_user? end scope_by_ids(scope, filtered_ids)