Optimized viewable user list, fixed up some project readability bugs

awx/main/access.py

@@ -212,11 +212,18 @@ class UserAccess(BaseAccess):
         if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.exists():
             return User.objects.all()
 
-        viewable_users_set = set()
-        viewable_users_set.update(self.user.roles.values_list('ancestors__members__id', flat=True))
-        viewable_users_set.update(self.user.roles.values_list('descendents__members__id', flat=True))
+        return (
+            User.objects.filter(
+                pk__in=Organization.accessible_objects(self.user, 'read_role').values('member_role__members')
+            ) |
+            User.objects.filter(
+                pk=self.user.id
+            ) |
+            User.objects.filter(
+                pk__in=Role.objects.filter(singleton_name__in = [ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR]).values('members')
+            )
+        ).distinct()
 
-        return User.objects.filter(id__in=viewable_users_set)
 
     def can_add(self, data):
         if data is not None and 'is_superuser' in data:
@@ -576,11 +583,11 @@ class TeamAccess(BaseAccess):
     '''
     I can see a team when:
      - I'm a superuser.
-     - I'm an admin of the team's organization.
+     - I'm an admin of the team
      - I'm a member of that team.
     I can create/change a team when:
      - I'm a superuser.
-     - I'm an org admin for the team's org.
+     - I'm an admin for the team
     '''
 
     model = Team
@@ -604,7 +611,7 @@ class TeamAccess(BaseAccess):
         org_pk = get_pk_from_dict(data, 'organization')
         if obj and org_pk and obj.organization.pk != org_pk:
             raise PermissionDenied('Unable to change organization on a team')
-        return self.user in obj.organization.admin_role
+        return self.user in obj.admin_role
 
     def can_delete(self, obj):
         return self.can_change(obj, None)

awx/main/migrations/0008_v300_rbac_changes.py

@@ -284,7 +284,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='project',
             name='read_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'Read access to this project', parent_role=b'member_role', to='main.Role', role_name=b'Project Read Access', null=b'True'),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'Read access to this project', parent_role=[b'auditor_role', b'scm_update_role', b'member_role'], to='main.Role', role_name=b'Project Read Access', null=b'True'),
         ),
         migrations.AddField(
             model_name='role',

awx/main/models/projects.py

@@ -241,17 +241,16 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
         role_description='Implies membership within this project',
         parent_role='admin_role',
     )
-    read_role = ImplicitRoleField(
-        role_name='Project Read Access',
-        role_description='Read access to this project',
-        parent_role='member_role',
-    )
-
     scm_update_role = ImplicitRoleField(
         role_name='Project Updater',
         role_description='May update this project from the source control management system',
         parent_role='admin_role',
     )
+    read_role = ImplicitRoleField(
+        role_name='Project Read Access',
+        role_description='Read access to this project',
+        parent_role=['member_role', 'auditor_role', 'scm_update_role'],
+    )
 
     @classmethod
     def _get_unified_job_class(cls):

awx/main/tests/functional/test_projects.py

@@ -11,9 +11,11 @@ from awx.main.models import Project
 #
 
 @pytest.mark.django_db(transaction=True)
-def test_user_project_list(get, project_factory, admin, alice, bob):
+def test_user_project_list(get, project_factory, organization, admin, alice, bob):
     'List of projects a user has access to, filtered by projects you can also see'
 
+    organization.member_role.members.add(alice, bob)
+
     alice_project = project_factory('alice project')
     alice_project.admin_role.members.add(alice)