From b4f6b380fd28ac0b5476bbc9a96a8b5d4b763458 Mon Sep 17 00:00:00 2001
From: Bill Nottingham <notting@splat.cc>
Date: Fri, 30 Aug 2019 16:28:39 -0400
Subject: [PATCH] Show a tooltip for indirect permissions to show where they
 come from.

---
 .../src/access/rbac-role-column/roleList.directive.js | 10 ++++------
 .../src/access/rbac-role-column/roleList.partial.html | 11 ++++++++++-
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
index fe7472ce65..55bf04dc51 100644
--- a/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.directive.js
@@ -26,13 +26,10 @@ export default
                                 //
                                 // If the user has indirect admin access, they are system admin, org admin,
                                 // or a <resource_type>_admin. Return the role name directly.
-                                if (i.descendant_roles.includes('admin_role')) {
-                                    i.role.explicit = false;
-                                    return i.role;
-                                }
-                                // Return other specific roles that grant read access
-                                if (i.role.name.includes('Auditor')) {
+                                // Similarly, if they are an auditor, return that instead of a read role.
+                                if (i.descendant_roles.includes('admin_role') || i.role.name.includes('Auditor')) {
                                     i.role.explicit = false;
+                                    i.role.parent_role_name = i.role.name;
                                     return i.role;
                                 }
                                 // Handle more complex cases
@@ -45,6 +42,7 @@ export default
                                 let indirect_roles = [];
                                 i.descendant_roles.forEach((descendant_role) => {
                                     let r = _.cloneDeep(i.role);
+                                    r.parent_role_name = r.name;
                                     r.name = descendant_role.replace('_role','');
                                     r.explicit = false;
                                     // Do not include the read role unless it is the only descendant role.
diff --git a/awx/ui/client/src/access/rbac-role-column/roleList.partial.html b/awx/ui/client/src/access/rbac-role-column/roleList.partial.html
index a4b93d930f..587dff8763 100644
--- a/awx/ui/client/src/access/rbac-role-column/roleList.partial.html
+++ b/awx/ui/client/src/access/rbac-role-column/roleList.partial.html
@@ -18,7 +18,16 @@
     <div class="RoleList-tag"
         ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
             'RoleList-tag--team': entry.team_id}"
-        ng-if="!entry.team_id">
+        ng-if="!entry.team_id && (entry.explicit || !entry.resource_type)">
         <span class="RoleList-name">{{ entry.name }}</span>
     </div>
+
+    <div class="RoleList-tag"
+        ng-class="{'RoleList-tag--deletable': entry.explicit && entry.user_capabilities.unattach,
+            'RoleList-tag--team': entry.team_id}"
+        aw-tool-tip='<div>Via {{ entry.parent_role_name | sanitize }} role on {{ entry.resource_type | sanitize }} {{entry.resource_name | sanitize}}</div>' aw-tip-placement='bottom'
+        ng-if="!entry.team_id && !entry.explicit && entry.resource_type">
+        <span class="RoleList-name">{{ entry.name }}</span>
+        <i class="fa fa-sitemap"></i>
+    </div>
 </div>