Merge pull request #4862 from AlanCoding/poly_morphin_time

Unified JT and Unified Job queryset refactor

awx/main/access.py

@@ -1826,25 +1826,22 @@ class JobEventAccess(BaseAccess):
 class UnifiedJobTemplateAccess(BaseAccess):
     '''
     I can see a unified job template whenever I can see the same project,
-    inventory source or job template.  Unified job templates do not include
-    projects without SCM configured or inventory sources without a cloud
-    source.
+    inventory source, WFJT, or job template.  Unified job templates do not include
+    inventory sources without a cloud source.
     '''
 
     model = UnifiedJobTemplate
 
     def get_queryset(self):
-        qs = self.model.objects.all()
-        project_qs = self.user.get_queryset(Project).filter(scm_type__in=[s[0] for s in Project.SCM_TYPE_CHOICES])
-        inventory_source_qs = self.user.get_queryset(InventorySource).filter(source__in=CLOUD_INVENTORY_SOURCES)
-        job_template_qs = self.user.get_queryset(JobTemplate)
-        system_job_template_qs = self.user.get_queryset(SystemJobTemplate)
-        workflow_job_template_qs = self.user.get_queryset(WorkflowJobTemplate)
-        qs = qs.filter(Q(Project___in=project_qs) |
-                       Q(InventorySource___in=inventory_source_qs) |
-                       Q(JobTemplate___in=job_template_qs) |
-                       Q(systemjobtemplate__in=system_job_template_qs) |
-                       Q(workflowjobtemplate__in=workflow_job_template_qs))
+        if self.user.is_superuser or self.user.is_system_auditor:
+            qs = self.model.objects.all()
+        else:
+            qs = self.model.objects.filter(
+                Q(pk__in=self.model.accessible_pk_qs(self.user, 'read_role')) |
+                Q(inventorysource__inventory__id__in=Inventory._accessible_pk_qs(
+                    Inventory, self.user, 'read_role')))
+        qs = qs.exclude(inventorysource__source="")
+
         qs = qs.select_related(
             'created_by',
             'modified_by',
@@ -1883,25 +1880,23 @@ class UnifiedJobAccess(BaseAccess):
     model = UnifiedJob
 
     def get_queryset(self):
-        qs = self.model.objects.all()
-        project_update_qs = self.user.get_queryset(ProjectUpdate)
-        inventory_update_qs = self.user.get_queryset(InventoryUpdate).filter(source__in=CLOUD_INVENTORY_SOURCES)
-        job_qs = self.user.get_queryset(Job)
-        ad_hoc_command_qs = self.user.get_queryset(AdHocCommand)
-        system_job_qs = self.user.get_queryset(SystemJob)
-        workflow_job_qs = self.user.get_queryset(WorkflowJob)
-        qs = qs.filter(Q(ProjectUpdate___in=project_update_qs) |
-                       Q(InventoryUpdate___in=inventory_update_qs) |
-                       Q(Job___in=job_qs) |
-                       Q(AdHocCommand___in=ad_hoc_command_qs) |
-                       Q(SystemJob___in=system_job_qs) |
-                       Q(WorkflowJob___in=workflow_job_qs))
-        qs = qs.select_related(
+        if self.user.is_superuser or self.user.is_system_auditor:
+            qs = self.model.objects.all()
+        else:
+            inv_pk_qs = Inventory._accessible_pk_qs(Inventory, self.user, 'read_role')
+            org_auditor_qs = Organization.objects.filter(
+                Q(admin_role__members=self.user) | Q(auditor_role__members=self.user))
+            qs = self.model.objects.filter(
+                Q(unified_job_template_id__in=UnifiedJobTemplate.accessible_pk_qs(self.user, 'read_role')) |
+                Q(inventoryupdate__inventory_source__inventory__id__in=inv_pk_qs) |
+                Q(adhoccommand__inventory__id__in=inv_pk_qs) |
+                Q(job__inventory__organization__in=org_auditor_qs) |
+                Q(job__project__organization__in=org_auditor_qs)
+            )
+        qs = qs.prefetch_related(
             'created_by',
             'modified_by',
             'unified_job_node__workflow_job',
-        )
-        qs = qs.prefetch_related(
             'unified_job_template',
         )
 

awx/main/models/mixins.py

@@ -38,7 +38,7 @@ class ResourceMixin(models.Model):
         return ResourceMixin._accessible_objects(cls, accessor, role_field)
 
     @staticmethod
-    def _accessible_objects(cls, accessor, role_field):
+    def _accessible_pk_qs(cls, accessor, role_field, content_types=None):
         if type(accessor) == User:
             ancestor_roles = accessor.roles.all()
         elif type(accessor) == Role:
@@ -47,14 +47,22 @@ class ResourceMixin(models.Model):
             accessor_type = ContentType.objects.get_for_model(accessor)
             ancestor_roles = Role.objects.filter(content_type__pk=accessor_type.id,
                                                  object_id=accessor.id)
-        qs = cls.objects.filter(pk__in =
-                                RoleAncestorEntry.objects.filter(
-                                    ancestor__in=ancestor_roles,
-                                    content_type_id = ContentType.objects.get_for_model(cls).id,
-                                    role_field = role_field
-                                ).values_list('object_id').distinct()
-                                )
-        return qs
+
+        if content_types is None:
+            ct_kwarg = dict(content_type_id = ContentType.objects.get_for_model(cls).id)
+        else:
+            ct_kwarg = dict(content_type_id__in = content_types)
+
+        return RoleAncestorEntry.objects.filter(
+            ancestor__in = ancestor_roles,
+            role_field = role_field,
+            **ct_kwarg
+        ).values_list('object_id').distinct()
+
+
+    @staticmethod
+    def _accessible_objects(cls, accessor, role_field):
+        return cls.objects.filter(pk__in = ResourceMixin._accessible_pk_qs(cls, accessor, role_field))
 
 
     def get_permissions(self, accessor):

awx/main/models/unified_jobs.py

@@ -20,6 +20,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.utils.timezone import now
 from django.utils.encoding import smart_text
 from django.apps import apps
+from django.contrib.contenttypes.models import ContentType
 
 # Django-Polymorphic
 from polymorphic import PolymorphicModel
@@ -30,6 +31,7 @@ from djcelery.models import TaskMeta
 # AWX
 from awx.main.models.base import * # noqa
 from awx.main.models.schedules import Schedule
+from awx.main.models.mixins import ResourceMixin
 from awx.main.utils import (
     decrypt_field, _inventory_updates,
     copy_model_by_class, copy_m2m_relationships
@@ -166,6 +168,20 @@ class UnifiedJobTemplate(PolymorphicModel, CommonModelNameNotUnique, Notificatio
         else:
             return super(UnifiedJobTemplate, self).unique_error_message(model_class, unique_check)
 
+    @classmethod
+    def accessible_pk_qs(cls, accessor, role_field):
+        '''
+        A re-implementation of accessible pk queryset for the "normal" unified JTs.
+        Does not return inventory sources or system JTs, these should
+        be handled inside of get_queryset where it is utilized.
+        '''
+        ujt_names = [c.__name__.lower() for c in cls.__subclasses__()
+                     if c.__name__.lower() not in ['inventorysource', 'systemjobtemplate']]
+        subclass_content_types = list(ContentType.objects.filter(
+            model__in=ujt_names).values_list('id', flat=True))
+
+        return ResourceMixin._accessible_pk_qs(cls, accessor, role_field, content_types=subclass_content_types)
+
     def _perform_unique_checks(self, unique_checks):
         # Handle the list of unique fields returned above. Replace with an
         # appropriate error message for the remaining field(s) in the unique