From 7ec3b3b8b5694e8ed416e798fba186e17be2c532 Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Wed, 16 Mar 2016 10:26:53 -0400
Subject: [PATCH] Fixed up User.accessible_objects to return a User queryset

Was returnning a RolePermission qs, needed to be a User qs to match.
Also bolted on the role_permissions GenericRelation so we could just
reuse the ResourceMixin accessible_objects code
---
 awx/main/access.py          | 12 ++----------
 awx/main/models/__init__.py |  3 +++
 awx/main/models/mixins.py   |  3 +++
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 2446c94553..27eb706c75 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -81,15 +81,7 @@ def user_admin_role(self):
     return Role.objects.get(content_type=ContentType.objects.get_for_model(User), object_id=self.id)
 
 def user_accessible_objects(user, permissions):
-    content_type = ContentType.objects.get_for_model(User)
-    qs = RolePermission.objects.filter(
-        content_type=content_type,
-        role__ancestors__members=user
-    )
-    for perm in permissions:
-        qs = qs.annotate(**{'max_' + perm: Max(perm)})
-        qs = qs.filter(**{'max_' + perm: int(permissions[perm])})
-    return qs
+    return ResourceMixin._accessible_objects(User, user, permissions)
 
 def user_accessible_by(instance, user, permissions):
     perms = get_user_permissions_on_resource(instance, user)
@@ -236,7 +228,7 @@ class UserAccess(BaseAccess):
     model = User
 
     def get_queryset(self):
-        qs = self.model.accessible_objects(self.user, {'read':True})
+        qs = User.accessible_objects(self.user, {'read':True})
         return qs
 
     def can_add(self, data):
diff --git a/awx/main/models/__init__.py b/awx/main/models/__init__.py
index a8b7467db2..5c8f4ec3af 100644
--- a/awx/main/models/__init__.py
+++ b/awx/main/models/__init__.py
@@ -3,6 +3,7 @@
 
 # Django
 from django.conf import settings # noqa
+from django.contrib.contenttypes.fields import GenericRelation
 
 # AWX
 from awx.main.models.base import * # noqa
@@ -38,11 +39,13 @@ _PythonSerializer.handle_m2m_field = _new_handle_m2m_field
 from django.contrib.auth.models import User # noqa
 from awx.main.access import * # noqa
 
+
 User.add_to_class('get_queryset', get_user_queryset)
 User.add_to_class('can_access', check_user_access)
 User.add_to_class('accessible_by', user_accessible_by)
 User.add_to_class('accessible_objects', user_accessible_objects)
 User.add_to_class('admin_role', user_admin_role)
+User.add_to_class('role_permissions', GenericRelation('main.RolePermission'))
 
 # Import signal handlers only after models have been defined.
 import awx.main.signals # noqa
diff --git a/awx/main/models/mixins.py b/awx/main/models/mixins.py
index 968fb3712b..639611fbca 100644
--- a/awx/main/models/mixins.py
+++ b/awx/main/models/mixins.py
@@ -32,7 +32,10 @@ class ResourceMixin(models.Model):
         performant to resolve the resource in question then call
         `myresource.get_permissions(user)`.
         '''
+        return ResourceMixin._accessible_objects(cls, user, permissions)
 
+    @staticmethod
+    def _accessible_objects(cls, user, permissions):
         qs = cls.objects.filter(
             role_permissions__role__ancestors__members=user
         )