From 878455187f73b370b0585ce19568e5f0663539dc Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 18 Apr 2016 11:28:46 -0400
Subject: [PATCH] Optimized viewable user list, fixed up some project
 readability bugs

---
 awx/main/access.py                            | 21 ++++++++++++-------
 awx/main/migrations/0008_v300_rbac_changes.py |  2 +-
 awx/main/models/projects.py                   | 11 +++++-----
 awx/main/tests/functional/test_projects.py    |  4 +++-
 4 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index e9fd2760b7..7b28b89ae8 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -212,11 +212,18 @@ class UserAccess(BaseAccess):
         if tower_settings.ORG_ADMINS_CAN_SEE_ALL_USERS and self.user.admin_of_organizations.exists():
             return User.objects.all()
 
-        viewable_users_set = set()
-        viewable_users_set.update(self.user.roles.values_list('ancestors__members__id', flat=True))
-        viewable_users_set.update(self.user.roles.values_list('descendents__members__id', flat=True))
+        return (
+            User.objects.filter(
+                pk__in=Organization.accessible_objects(self.user, 'read_role').values('member_role__members')
+            ) |
+            User.objects.filter(
+                pk=self.user.id
+            ) |
+            User.objects.filter(
+                pk__in=Role.objects.filter(singleton_name__in = [ROLE_SINGLETON_SYSTEM_ADMINISTRATOR, ROLE_SINGLETON_SYSTEM_AUDITOR]).values('members')
+            )
+        ).distinct()
 
-        return User.objects.filter(id__in=viewable_users_set)
 
     def can_add(self, data):
         if data is not None and 'is_superuser' in data:
@@ -576,11 +583,11 @@ class TeamAccess(BaseAccess):
     '''
     I can see a team when:
      - I'm a superuser.
-     - I'm an admin of the team's organization.
+     - I'm an admin of the team
      - I'm a member of that team.
     I can create/change a team when:
      - I'm a superuser.
-     - I'm an org admin for the team's org.
+     - I'm an admin for the team
     '''
 
     model = Team
@@ -604,7 +611,7 @@ class TeamAccess(BaseAccess):
         org_pk = get_pk_from_dict(data, 'organization')
         if obj and org_pk and obj.organization.pk != org_pk:
             raise PermissionDenied('Unable to change organization on a team')
-        return self.user in obj.organization.admin_role
+        return self.user in obj.admin_role
 
     def can_delete(self, obj):
         return self.can_change(obj, None)
diff --git a/awx/main/migrations/0008_v300_rbac_changes.py b/awx/main/migrations/0008_v300_rbac_changes.py
index cb6a653890..4b87865c5f 100644
--- a/awx/main/migrations/0008_v300_rbac_changes.py
+++ b/awx/main/migrations/0008_v300_rbac_changes.py
@@ -284,7 +284,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='project',
             name='read_role',
-            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'Read access to this project', parent_role=b'member_role', to='main.Role', role_name=b'Project Read Access', null=b'True'),
+            field=awx.main.fields.ImplicitRoleField(related_name='+', role_description=b'Read access to this project', parent_role=[b'auditor_role', b'scm_update_role', b'member_role'], to='main.Role', role_name=b'Project Read Access', null=b'True'),
         ),
         migrations.AddField(
             model_name='role',
diff --git a/awx/main/models/projects.py b/awx/main/models/projects.py
index 097a714fdf..cdc4d17320 100644
--- a/awx/main/models/projects.py
+++ b/awx/main/models/projects.py
@@ -241,17 +241,16 @@ class Project(UnifiedJobTemplate, ProjectOptions, ResourceMixin):
         role_description='Implies membership within this project',
         parent_role='admin_role',
     )
-    read_role = ImplicitRoleField(
-        role_name='Project Read Access',
-        role_description='Read access to this project',
-        parent_role='member_role',
-    )
-
     scm_update_role = ImplicitRoleField(
         role_name='Project Updater',
         role_description='May update this project from the source control management system',
         parent_role='admin_role',
     )
+    read_role = ImplicitRoleField(
+        role_name='Project Read Access',
+        role_description='Read access to this project',
+        parent_role=['member_role', 'auditor_role', 'scm_update_role'],
+    )
 
     @classmethod
     def _get_unified_job_class(cls):
diff --git a/awx/main/tests/functional/test_projects.py b/awx/main/tests/functional/test_projects.py
index cfed6ddfcf..aaf0802791 100644
--- a/awx/main/tests/functional/test_projects.py
+++ b/awx/main/tests/functional/test_projects.py
@@ -11,9 +11,11 @@ from awx.main.models import Project
 #
 
 @pytest.mark.django_db(transaction=True)
-def test_user_project_list(get, project_factory, admin, alice, bob):
+def test_user_project_list(get, project_factory, organization, admin, alice, bob):
     'List of projects a user has access to, filtered by projects you can also see'
 
+    organization.member_role.members.add(alice, bob)
+
     alice_project = project_factory('alice project')
     alice_project.admin_role.members.add(alice)