From 2bdc79f3ba0ca6a0291b8f2bdb57e0d952dfdbb1 Mon Sep 17 00:00:00 2001
From: Matthew Jones <mat@matburt.net>
Date: Fri, 31 Jul 2015 00:04:47 -0400
Subject: [PATCH] Optimize inventory read check for Job Templates

Our old check used an extremely inefficient boolean logic AND and
generated a bad query.   This does a simpler check by querying the
inventories that the user has access to and using that as a simple
condition when performing the job template permission query
---
 awx/main/access.py | 20 ++++----------------
 1 file changed, 4 insertions(+), 16 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index c6f281a75c..e5f0c4df95 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -864,11 +864,11 @@ class JobTemplateAccess(BaseAccess):
         if self.user.is_superuser:
             return qs
         credential_ids = set(self.user.get_queryset(Credential).values_list('id', flat=True))
+        inventory_ids = set(self.user.get_queryset(Inventory).values_list('id', flat=True))
         base_qs = qs.filter(
             Q(credential_id__in=credential_ids) | Q(credential__isnull=True),
             Q(cloud_credential_id__in=credential_ids) | Q(cloud_credential__isnull=True),
         )
-        # FIXME: Check active status on related objects!
         org_admin_qs = base_qs.filter(
             Q(project__organizations__admins__in=[self.user]) |
             (Q(project__isnull=True) & Q(job_type=PERM_INVENTORY_SCAN) & Q(inventory__organization__admins__in=[self.user]))
@@ -895,6 +895,7 @@ class JobTemplateAccess(BaseAccess):
             inventory__permissions__in=deploy_permissions_ids,
             project__permissions__in=deploy_permissions_ids,
             inventory__permissions__pk=F('project__permissions__pk'),
+            inventory_id__in=inventory_ids,
         )
 
         perm_check_qs = base_qs.filter(
@@ -902,23 +903,10 @@ class JobTemplateAccess(BaseAccess):
             inventory__permissions__in=check_permissions_ids,
             project__permissions__in=check_permissions_ids,
             inventory__permissions__pk=F('project__permissions__pk'),
+            inventory_id__in=inventory_ids,
         )
 
-        perm_inventory_read_user_qs = qs.filter(
-            inventory__permissions__user__in=[self.user],
-            inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
-            inventory__permissions__active=True)
-
-        perm_inventory_read_team_qs = qs.filter(
-            inventory__permissions__team__users__in=[self.user],
-            inventory__permissions__team__active=True,
-            inventory__permissions__permission_type__in=PERMISSION_TYPES_ALLOWING_INVENTORY_READ,
-            inventory__permissions__active=True)
-
-        perm_inventory = perm_inventory_read_user_qs | perm_inventory_read_team_qs
-
-        # FIXME: I *think* this should work... needs more testing.
-        return org_admin_qs | (perm_deploy_qs & perm_inventory) | (perm_check_qs & perm_inventory)
+        return org_admin_qs | perm_deploy_qs | perm_check_qs
 
     def can_read(self, obj):
         # you can only see the job templates that you have permission to launch.