From 6d34ca9d2245bc72bb718801d743571919c02d9b Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Fri, 15 Apr 2016 10:03:50 -0400
Subject: [PATCH] Proof of concept hacks for RolePermission elimination

---
 awx/main/fields.py                          |  2 ++
 awx/main/models/mixins.py                   | 26 +++++++++------------
 awx/main/models/rbac.py                     |  1 +
 awx/main/signals.py                         |  8 +------
 awx/main/tests/functional/test_rbac_core.py |  4 ++--
 5 files changed, 17 insertions(+), 24 deletions(-)

diff --git a/awx/main/fields.py b/awx/main/fields.py
index 30bd8e03f3..50d73ee4c7 100644
--- a/awx/main/fields.py
+++ b/awx/main/fields.py
@@ -183,6 +183,7 @@ class ImplicitRoleField(models.ForeignKey):
         role = Role_.objects.create(
             created=now(),
             modified=now(),
+            role_field=self.name,
             name=self.role_name,
             description=self.role_description
         )
@@ -233,6 +234,7 @@ class ImplicitRoleField(models.ForeignKey):
                 else:
                     role = Role_.objects.create(created=now(),
                                                 modified=now(),
+                                                role_field=path,
                                                 singleton_name=singleton_name,
                                                 name=singleton_name,
                                                 description=singleton_name)
diff --git a/awx/main/models/mixins.py b/awx/main/models/mixins.py
index 1396698c28..5fd7dc89f8 100644
--- a/awx/main/models/mixins.py
+++ b/awx/main/models/mixins.py
@@ -31,29 +31,25 @@ class ResourceMixin(models.Model):
         performant to resolve the resource in question then call
         `myresource.get_permissions(user)`.
         '''
-        return ResourceMixin._accessible_objects(cls, accessor, permissions)
+        return ResourceMixin._accessible_objects(cls, accessor, role_name)
 
     @staticmethod
-    def _accessible_objects(cls, accessor, permissions):
+    def _accessible_objects(cls, accessor, role_name):
         if type(accessor) == User:
-            qs = cls.objects.filter(
-                role_permissions__role__ancestors__members=accessor
-            )
+            kwargs = {}
+            kwargs[role_name + '__ancestors__members'] = accessor
+            qs = cls.objects.filter(**kwargs)
         elif type(accessor) == Role:
-            qs = cls.objects.filter(
-                role_permissions__role__ancestors=accessor
-            )
+            kwargs = {}
+            kwargs[role_name + '__ancestors'] = accessor
+            qs = cls.objects.filter(**kwargs)
         else:
             accessor_type = ContentType.objects.get_for_model(accessor)
             roles = Role.objects.filter(content_type__pk=accessor_type.id,
                                         object_id=accessor.id)
-            qs = cls.objects.filter(
-                role_permissions__role__ancestors__in=roles
-            )
-
-        for perm in permissions:
-            qs = qs.annotate(**{'max_' + perm: Max('role_permissions__' + perm)})
-            qs = qs.filter(**{'max_' + perm: int(permissions[perm])})
+            kwargs = {}
+            kwargs[role_name + '__ancestors__in'] = roles
+            qs = cls.objects.filter(**kwargs)
 
         #return cls.objects.filter(resource__in=qs)
         return qs
diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py
index 2404831b56..86fa2b6e28 100644
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@@ -77,6 +77,7 @@ class Role(CommonModelNameNotUnique):
         db_table = 'main_rbac_roles'
 
     singleton_name = models.TextField(null=True, default=None, db_index=True, unique=True)
+    role_field = models.TextField(null=False, default=None)
     parents = models.ManyToManyField('Role', related_name='children')
     implicit_parents = models.TextField(null=False, default='[]')
     ancestors = models.ManyToManyField('Role', related_name='descendents') # auto-generated by `rebuild_role_ancestor_list`
diff --git a/awx/main/signals.py b/awx/main/signals.py
index 891c60b75b..cc475b655a 100644
--- a/awx/main/signals.py
+++ b/awx/main/signals.py
@@ -131,16 +131,10 @@ def create_user_role(instance, **kwargs):
     except Role.DoesNotExist:
         role = Role.objects.create(
             name = 'Owner',
+            role_field='owner_role',
             content_object = instance,
         )
         role.members.add(instance)
-        RolePermission.objects.create(
-            role = role,
-            resource = instance,
-            auto_generated = True,
-            create=1, read=1, write=1, delete=1, update=1,
-            execute=1, scm_update=1, use=1,
-        )
 
 def org_admin_edit_members(instance, action, model, reverse, pk_set, **kwargs):
     content_type = ContentType.objects.get_for_model(Organization)
diff --git a/awx/main/tests/functional/test_rbac_core.py b/awx/main/tests/functional/test_rbac_core.py
index a7c3275530..0be5fbd439 100644
--- a/awx/main/tests/functional/test_rbac_core.py
+++ b/awx/main/tests/functional/test_rbac_core.py
@@ -9,8 +9,8 @@ from awx.main.models import (
 
 @pytest.mark.django_db
 def test_auto_inheritance_by_children(organization, alice):
-    A = Role.objects.create(name='A')
-    B = Role.objects.create(name='B')
+    A = Role.objects.create(name='A', role_field='')
+    B = Role.objects.create(name='B', role_field='')
     A.members.add(alice)
 
     assert alice not in organization.admin_role