From a126736332383306f68ce28e9eae503f517ecf06 Mon Sep 17 00:00:00 2001 From: Akita Noek Date: Tue, 5 Jul 2016 15:06:25 -0400 Subject: [PATCH] Expand role visibility such that you can always see all roles on any objects you can see Completes #2774 --- awx/main/models/rbac.py | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/awx/main/models/rbac.py b/awx/main/models/rbac.py index 633c60c175..b16a777a77 100644 --- a/awx/main/models/rbac.py +++ b/awx/main/models/rbac.py @@ -382,9 +382,10 @@ class Role(models.Model): qs = Role.objects.extra( where = [''' %(roles_table)s.id IN ( - SELECT descendent_id FROM %(ancestors_table)s WHERE ancestor_id IN (%(ids)s) - UNION - SELECT ancestor_id FROM %(ancestors_table)s WHERE descendent_id IN (%(ids)s) + SELECT t2.ancestor_id + FROM %(ancestors_table)s as t1 + LEFT JOIN %(ancestors_table)s as t2 ON (t1.descendent_id = t2.descendent_id) + WHERE t1.ancestor_id IN (%(ids)s) ) ''' % sql_params] ) @@ -393,23 +394,7 @@ class Role(models.Model): @staticmethod @check_singleton def filter_visible_roles(user, roles_qs): - sql_params = { - 'ancestors_table': Role.ancestors.through._meta.db_table, - 'parents_table': Role.parents.through._meta.db_table, - 'roles_table': Role._meta.db_table, - 'ids': ','.join(str(x) for x in user.roles.all().values_list('id', flat=True)) - } - - qs = roles_qs.extra( - where = [''' - EXISTS ( - SELECT 1 FROM - %(ancestors_table)s - WHERE (descendent_id = %(roles_table)s.id AND ancestor_id IN (%(ids)s)) - OR (ancestor_id = %(roles_table)s.id AND descendent_id IN (%(ids)s)) - ) ''' % sql_params] - ) - return qs + return roles_qs.filter(id__in=Role.visible_roles(user)) @staticmethod def singleton(name):