From a5c355d7538f73805d4073e55ffbff1122500b6a Mon Sep 17 00:00:00 2001
From: Akita Noek <anoek@ansible.com>
Date: Mon, 21 Mar 2016 15:08:10 -0400
Subject: [PATCH] Updated UserAccess to reflect new visibility requirements
 (and work)

---
 awx/main/access.py | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index b44c8fa577..be76aaeb80 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -198,12 +198,10 @@ class BaseAccess(object):
 class UserAccess(BaseAccess):
     '''
     I can see user records when:
-     - I'm a superuser.
-     - I'm that user.
-     - I'm an org admin (org admins should be able to see all users, in order
-       to add those users to the org).
-     - I'm in an org with that user.
-     - I'm on a team with that user.
+     - I'm a useruser
+     - I'm in a role with them (such as in an organization or team)
+     - They are in a role which includes a role of mine
+     - I am in a role that includes a role of theirs
     I can change some fields for a user (mainly password) when I am that user.
     I can change all fields for a user (admin access) or delete when:
      - I'm a superuser.
@@ -213,8 +211,17 @@ class UserAccess(BaseAccess):
     model = User
 
     def get_queryset(self):
-        qs = User.accessible_objects(self.user, {'read':True})
-        return qs
+        if self.user.is_superuser:
+            return User.objects
+
+        viewable_users_set = set()
+        viewable_users_set.update(self.user.roles.values_list('ancestors__members__id', flat=True))
+        viewable_users_set.update(self.user.roles.values_list('descendents__members__id', flat=True))
+
+        return User.objects.filter(id__in=viewable_users_set)
+        #qs = User.objects.filter(self.user, {'read':True})
+        #qs = User.objects.
+        #return qs
 
     def can_add(self, data):
         if data is not None and 'is_superuser' in data: