From 5071dba4ff010688e7264c3ac049d28a9417c938 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 22 Feb 2016 14:54:27 -0500
Subject: [PATCH] Moved RBAC get_permissions implemenation to the Resource
 model

I had need to perform this query right on a Resource, so I moved it from
the mixin to the Resource
---
 awx/main/models/mixins.py | 35 +----------------------------------
 awx/main/models/rbac.py   | 37 +++++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+), 34 deletions(-)

diff --git a/awx/main/models/mixins.py b/awx/main/models/mixins.py
index 63ecf3a0dd..6d069ed3d4 100644
--- a/awx/main/models/mixins.py
+++ b/awx/main/models/mixins.py
@@ -43,40 +43,7 @@ class ResourceMixin(models.Model):
 
 
     def get_permissions(self, user):
-        '''
-        Returns a dict (or None) of the permissions a user has for a given
-        resource.
-
-        Note: Each field in the dict is the `or` of all respective permissions
-        that have been granted to the roles that are applicable for the given
-        user.
-
-        In example, if a user has been granted read access through a permission
-        on one role and write access through a permission on a separate role,
-        the returned dict will denote that the user has both read and write
-        access.
-        '''
-
-        qs = user.__class__.objects.filter(id=user.id, roles__descendents__permissions__resource=self.resource)
-
-        qs = qs.annotate(max_create = Max('roles__descendents__permissions__create'))
-        qs = qs.annotate(max_read = Max('roles__descendents__permissions__read'))
-        qs = qs.annotate(max_write = Max('roles__descendents__permissions__write'))
-        qs = qs.annotate(max_update = Max('roles__descendents__permissions__update'))
-        qs = qs.annotate(max_delete = Max('roles__descendents__permissions__delete'))
-        qs = qs.annotate(max_scm_update = Max('roles__descendents__permissions__scm_update'))
-        qs = qs.annotate(max_execute = Max('roles__descendents__permissions__execute'))
-        qs = qs.annotate(max_use = Max('roles__descendents__permissions__use'))
-
-        qs = qs.values('max_create', 'max_read', 'max_write', 'max_update',
-                       'max_delete', 'max_scm_update', 'max_execute', 'max_use')
-
-        res = qs.all()
-        if len(res):
-            # strip away the 'max_' prefix
-            return {k[4:]:v for k,v in res[0].items()}
-        return None
-
+        return self.resource.get_permissions(user)
 
     def accessible_by(self, user, permissions):
         '''
diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py
index de95f0e0af..6f59a82618 100644
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@@ -6,6 +6,8 @@ import logging
 
 # Django
 from django.db import models
+from django.db.models.aggregates import Max
+from django.core.urlresolvers import reverse
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.contenttypes.fields import GenericForeignKey
@@ -116,6 +118,41 @@ class Resource(CommonModelNameNotUnique):
     object_id = models.PositiveIntegerField(null=True, default=None)
     content_object = GenericForeignKey('content_type', 'object_id')
 
+    def get_permissions(self, user):
+        '''
+        Returns a dict (or None) of the permissions a user has for a given
+        resource.
+
+        Note: Each field in the dict is the `or` of all respective permissions
+        that have been granted to the roles that are applicable for the given
+        user.
+
+        In example, if a user has been granted read access through a permission
+        on one role and write access through a permission on a separate role,
+        the returned dict will denote that the user has both read and write
+        access.
+        '''
+
+        qs = user.__class__.objects.filter(id=user.id, roles__descendents__permissions__resource=self)
+
+        qs = qs.annotate(max_create = Max('roles__descendents__permissions__create'))
+        qs = qs.annotate(max_read = Max('roles__descendents__permissions__read'))
+        qs = qs.annotate(max_write = Max('roles__descendents__permissions__write'))
+        qs = qs.annotate(max_update = Max('roles__descendents__permissions__update'))
+        qs = qs.annotate(max_delete = Max('roles__descendents__permissions__delete'))
+        qs = qs.annotate(max_scm_update = Max('roles__descendents__permissions__scm_update'))
+        qs = qs.annotate(max_execute = Max('roles__descendents__permissions__execute'))
+        qs = qs.annotate(max_use = Max('roles__descendents__permissions__use'))
+
+        qs = qs.values('max_create', 'max_read', 'max_write', 'max_update',
+                       'max_delete', 'max_scm_update', 'max_execute', 'max_use')
+
+        res = qs.all()
+        if len(res):
+            # strip away the 'max_' prefix
+            return {k[4:]:v for k,v in res[0].items()}
+        return None
+
 
 class RolePermission(CreatedModifiedModel):
     '''