From 1035a6737e3f9b331cb346097ebdb58cb5534a87 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Fri, 29 Jan 2016 16:37:13 -0500
Subject: [PATCH] Added singleton role support method and parent_role
 auto-binder in the ImplicitRoleField

Also fixed bug in the single object permission lookup.
---
 awx/main/fields.py        | 10 ++++++++--
 awx/main/models/mixins.py |  4 +++-
 awx/main/models/rbac.py   | 11 +++++++++++
 3 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/awx/main/fields.py b/awx/main/fields.py
index d6a7dcf4d4..f6afd7581e 100644
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -119,11 +119,17 @@ class ImplicitRoleDescriptor(ReverseSingleRelatedObjectDescriptor):
             # Add all non-null parent roles as parents
             if type(self.parent_role) is list:
                 for path in self.parent_role: 
-                    parent = resolve_field(instance, path)
+                    if path.startswith("singleton:"):
+                        parent = Role.singleton(path[10:])
+                    else:
+                        parent = resolve_field(instance, path)
                     if parent:
                         role.parents.add(parent)
             else:
-                parent = resolve_field(instance, self.parent_role)
+                if self.parent_role.startswith("singleton:"):
+                    parent = Role.singleton(self.parent_role[10:])
+                else:
+                    parent = resolve_field(instance, self.parent_role)
                 if parent:
                     role.parents.add(parent)
         setattr(instance, self.field.name, role)
diff --git a/awx/main/models/mixins.py b/awx/main/models/mixins.py
index 4071e6d3cd..b1156e4913 100644
--- a/awx/main/models/mixins.py
+++ b/awx/main/models/mixins.py
@@ -113,7 +113,7 @@ class ResourceMixin(models.Model):
                       FROM %(rbac_permission)s 
                       LEFT JOIN %(rbac_role_hierachy)s 
                            ON (%(rbac_permission)s.role_id = %(rbac_role_hierachy)s.role_id)
-                      LEFT JOIN %(rbac_role)s_members 
+                     INNER JOIN %(rbac_role)s_members 
                            ON (
                                  %(rbac_role)s_members.role_id = %(rbac_role_hierachy)s.ancestor_id
                                  AND %(rbac_role)s_members.user_id = %(user_id)d
@@ -142,6 +142,8 @@ class ResourceMixin(models.Model):
         '''
 
         perms = self.get_permissions(user)
+        if not perms:
+            return False
         for k in permissions:
             if k not in perms or perms[k] < permissions[k]:
                 return False
diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py
index af54858af0..37948fe14e 100644
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@@ -26,6 +26,7 @@ class Role(CommonModelNameNotUnique):
         verbose_name_plural = _('roles')
         db_table = 'main_rbac_roles'
 
+    singleton_name = models.TextField(null=True, default=None, db_index=True, unique=True)
     parents = models.ManyToManyField('Role', related_name='children')
     members = models.ManyToManyField('auth.User', related_name='roles')
 
@@ -74,6 +75,16 @@ class Role(CommonModelNameNotUnique):
             setattr(permission, k, int(permissions[k]))
         permission.save()
 
+    @staticmethod
+    def singleton(name):
+        try:
+            return Role.objects.get(singleton_name=name)
+        except Role.DoesNotExist:
+            ret = Role(singleton_name=name)
+            ret.save()
+            return ret;
+
+
 
 class RoleHierarchy(CreatedModifiedModel):
     '''