Expand role visibility such that you can always see all roles on any objects you can see

Completes #2774
2026-01-16 20:30:46 -03:30 · 2016-07-05 15:06:25 -04:00 · 2016-07-05 15:06:25 -04:00 · a126736332
commit a126736332
parent e818daa74f
1 changed files with 5 additions and 20 deletions
--- a/awx/main/models/rbac.py
+++ b/awx/main/models/rbac.py
@ -382,9 +382,10 @@ class Role(models.Model):
        qs = Role.objects.extra(
            where = ['''
                    %(roles_table)s.id IN (
-                        SELECT descendent_id FROM %(ancestors_table)s WHERE ancestor_id IN (%(ids)s)
-                        UNION
-                        SELECT ancestor_id FROM %(ancestors_table)s WHERE descendent_id IN (%(ids)s)
+                        SELECT t2.ancestor_id
+                          FROM %(ancestors_table)s as t1
+                               LEFT JOIN %(ancestors_table)s as t2 ON (t1.descendent_id = t2.descendent_id)
+                         WHERE t1.ancestor_id IN (%(ids)s)
                    )
                    ''' % sql_params]
        )
@ -393,23 +394,7 @@ class Role(models.Model):
    @staticmethod
    @check_singleton
    def filter_visible_roles(user, roles_qs):
-        sql_params = {
-            'ancestors_table': Role.ancestors.through._meta.db_table,
-            'parents_table': Role.parents.through._meta.db_table,
-            'roles_table': Role._meta.db_table,
-            'ids': ','.join(str(x) for x in user.roles.all().values_list('id', flat=True))
-        }
-
-        qs = roles_qs.extra(
-            where = ['''
-                EXISTS (
-                    SELECT 1 FROM
-                    %(ancestors_table)s
-                    WHERE (descendent_id = %(roles_table)s.id AND ancestor_id IN (%(ids)s))
-                       OR (ancestor_id = %(roles_table)s.id AND descendent_id IN (%(ids)s))
-                ) ''' % sql_params]
-        )
-        return qs
+        return roles_qs.filter(id__in=Role.visible_roles(user))

    @staticmethod
    def singleton(name):