Optimized (user|team)/:n/roles/

2026-01-18 13:11:19 -03:30 · 2016-04-25 14:07:32 -04:00 · 2016-04-25 14:07:32 -04:00 · 4c15374b05
commit 4c15374b05
parent 9df157c971
2 changed files with 27 additions and 3 deletions
--- a/awx/api/views.py
+++ b/awx/api/views.py
@ -816,7 +816,8 @@ class TeamRolesList(SubListCreateAttachDetachAPIView):

    def get_queryset(self):
        team = Team.objects.get(pk=self.kwargs['pk'])
-        return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user))
+        #return team.member_role.children.filter(id__in=Role.visible_roles(self.request.user))
+        return Role.filter_visible_roles(self.request.user, team.member_role.children.all())

    # XXX: Need to enforce permissions
    def post(self, request, *args, **kwargs):
@ -1082,8 +1083,10 @@ class UserRolesList(SubListCreateAttachDetachAPIView):
    permission_classes = (IsAuthenticated,)

    def get_queryset(self):
-        #u = User.objects.get(pk=self.kwargs['pk'])
-        return Role.visible_roles(self.request.user).filter(members__in=[int(self.kwargs['pk']), ])
+        u = get_object_or_404(User, pk=self.kwargs['pk'])
+        if not self.request.user.can_access(User, 'read', u):
+            raise PermissionDenied()
+        return Role.filter_visible_roles(self.request.user, u.roles.all())

    def post(self, request, *args, **kwargs):
        # Forbid implicit role creation here
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@ -357,6 +357,7 @@ class Role(models.Model):
            'roles_table': Role._meta.db_table,
            'ids': ','.join(str(x) for x in user.roles.values_list('id', flat=True))
        }
+
        qs = Role.objects.extra(
            where = ['''
                    %(roles_table)s.id IN (
@ -368,6 +369,26 @@ class Role(models.Model):
        )
        return qs

+    @staticmethod
+    def filter_visible_roles(user, roles_qs):
+        sql_params = {
+            'ancestors_table': Role.ancestors.through._meta.db_table,
+            'parents_table': Role.parents.through._meta.db_table,
+            'roles_table': Role._meta.db_table,
+            'ids': ','.join(str(x) for x in user.roles.all().values_list('id', flat=True))
+        }
+
+        qs = roles_qs.extra(
+            where = ['''
+                EXISTS (
+                    SELECT 1 FROM
+                    %(ancestors_table)s
+                    WHERE (descendent_id = %(roles_table)s.id AND ancestor_id IN (%(ids)s))
+                       OR (ancestor_id = %(roles_table)s.id AND descendent_id IN (%(ids)s))
+                ) ''' % sql_params]
+        )
+        return qs
+
    @staticmethod
    def singleton(name):
        role, _ = Role.objects.get_or_create(singleton_name=name, role_field=name)