From 444f024bb03c5dd8560c0e49983ba21bf8ee0ba9 Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@splat.cc>
Date: Tue, 20 Aug 2019 20:04:38 -0400
Subject: [PATCH 1/2] Fix display of indirect access permissions.

For indirect roles, we need to actually show the derived roles, not the
details of the role that gives us the derived roles. This means that
we can get multiple derived roles from a single indirect role, so
we have to expand the list.
---
 .../rbac-role-column/roleList.directive.js    | 35 +++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
index 0ee778939f..fe7472ce65 100644
--- a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
@@ -21,9 +21,40 @@ export default
                         }))
                         .concat(scope.deleteTarget.summary_fields
                             .indirect_access.map((i) => {
-                                i.role.explicit = false;
-                                return i.role;
+                                // Indirect access roles describe the role on another object that
+                                // gives the user access to this object, so we must introspect them.
+                                //
+                                // If the user has indirect admin access, they are system admin, org admin,
+                                // or a <resource_type>_admin. Return the role name directly.
+                                if (i.descendant_roles.includes('admin_role')) {
+                                    i.role.explicit = false;
+                                    return i.role;
+                                }
+                                // Return other specific roles that grant read access
+                                if (i.role.name.includes('Auditor')) {
+                                    i.role.explicit = false;
+                                    return i.role;
+                                }
+                                // Handle more complex cases
+                                // This includes roles team<->team roles, and roles an org admin
+                                // inherits from teams in their organization.
+                                //
+                                // For these, we want to describe the actual permissions for the
+                                // object we are retrieving the access_list for, so replace
+                                // the role name with the descendant_roles.
+                                let indirect_roles = [];
+                                i.descendant_roles.forEach((descendant_role) => {
+                                    let r = _.cloneDeep(i.role);
+                                    r.name = descendant_role.replace('_role','');
+                                    r.explicit = false;
+                                    // Do not include the read role unless it is the only descendant role.
+                                    if (r.name !== 'read' || i.descendant_roles.length === 1) {
+                                        indirect_roles.push(r);
+                                    }
+                                });
+                                return indirect_roles;
                         }))
+                        .flat()
                         .filter((role) => {
                             return Boolean(attrs.teamRoleList) === Boolean(role.team_id);
                         })

From b4f6b380fd28ac0b5476bbc9a96a8b5d4b763458 Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@splat.cc>
Date: Fri, 30 Aug 2019 16:28:39 -0400
Subject: [PATCH 2/2] Show a tooltip for indirect permissions to show where
 they come from.

---
 .../src/access/rbac-role-column/roleList.directive.js | 10 ++++------
 .../src/access/rbac-role-column/roleList.partial.html | 11 ++++++++++-
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
index fe7472ce65..55bf04dc51 100644
--- a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
@@ -26,13 +26,10 @@ export default
                                 //
                                 // If the user has indirect admin access, they are system admin, org admin,
                                 // or a <resource_type>_admin. Return the role name directly.
-                                if (i.descendant_roles.includes('admin_role')) {
-                                    i.role.explicit = false;
-                                    return i.role;
-                                }
-                                // Return other specific roles that grant read access
-                                if (i.role.name.includes('Auditor')) {
+                                // Similarly, if they are an auditor, return that instead of a read role.
+                                if (i.descendant_roles.includes('admin_role') || i.role.name.includes('Auditor')) {
                                     i.role.explicit = false;
+                                    i.role.parent_role_name = i.role.name;
                                     return i.role;
                                 }
                                 // Handle more complex cases
@@ -45,6 +42,7 @@ export default
                                 let indirect_roles = [];
                                 i.descendant_roles.forEach((descendant_role) => {
                                     let r = _.cloneDeep(i.role);
+                                    r.parent_role_name = r.name;
                                     r.name = descendant_role.replace('_role','');
                                     r.explicit = false;
                                     // Do not include the read role unless it is the only descendant role.
diff --git a/awx/ui/client/src/access/rbac-role-column/roleList.partial.html b/awx/ui/client/src/access/rbac-role-column/roleList.partial.html
index a4b93d930f..587dff8763 100644
--- a/awx/ui/client/src/access/rbac-role-column/roleList.partial.html
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.partial.html
@@ -18,7 +18,16 @@
     <div class="RoleList-tag"
         ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
             'RoleList-tag--team': entry.team_id}"
-        ng-if="!entry.team_id">
+        ng-if="!entry.team_id && (entry.explicit || !entry.resource_type)">
         <span class="RoleList-name">{{ entry.name }}</span>
     </div>
+
+    <div class="RoleList-tag"
+        ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
+            'RoleList-tag--team': entry.team_id}"
+        aw-tool-tip='<div>Via {{ entry.parent_role_name | sanitize }} role on {{ entry.resource_type | sanitize }} {{entry.resource_name | sanitize}}</div>' aw-tip-placement='bottom'
+        ng-if="!entry.team_id && !entry.explicit && entry.resource_type">
+        <span class="RoleList-name">{{ entry.name }}</span>
+        <i class="fa fa-sitemap"></i>
+    </div>
 </div>