Expand role visibility such that you can always see all roles on any objects you can see

Completes #2774

awx/main/models/rbac.py

@@ -382,9 +382,10 @@ class Role(models.Model):
         qs = Role.objects.extra(
             where = ['''
                     %(roles_table)s.id IN (
-                        SELECT descendent_id FROM %(ancestors_table)s WHERE ancestor_id IN (%(ids)s)
+                        SELECT t2.ancestor_id
-                        UNION
+                          FROM %(ancestors_table)s as t1
-                        SELECT ancestor_id FROM %(ancestors_table)s WHERE descendent_id IN (%(ids)s)
+                               LEFT JOIN %(ancestors_table)s as t2 ON (t1.descendent_id = t2.descendent_id)
+                         WHERE t1.ancestor_id IN (%(ids)s)
                     )
                     ''' % sql_params]
         )
@@ -393,23 +394,7 @@ class Role(models.Model):
     @staticmethod
     @check_singleton
     def filter_visible_roles(user, roles_qs):
-        sql_params = {
+        return roles_qs.filter(id__in=Role.visible_roles(user))
-            'ancestors_table': Role.ancestors.through._meta.db_table,
-            'parents_table': Role.parents.through._meta.db_table,
-            'roles_table': Role._meta.db_table,
-            'ids': ','.join(str(x) for x in user.roles.all().values_list('id', flat=True))
-        }
-
-        qs = roles_qs.extra(
-            where = ['''
-                EXISTS (
-                    SELECT 1 FROM
-                    %(ancestors_table)s
-                    WHERE (descendent_id = %(roles_table)s.id AND ancestor_id IN (%(ids)s))
-                       OR (ancestor_id = %(roles_table)s.id AND descendent_id IN (%(ids)s))
-                ) ''' % sql_params]
-        )
-        return qs
 
     @staticmethod
     def singleton(name):