From 6fee46fb666c89ec037a346fb7854f341ed59882 Mon Sep 17 00:00:00 2001
From: AlanCoding <arominge@redhat.com>
Date: Fri, 22 Jul 2016 12:47:36 -0400
Subject: [PATCH] Reorganize activity stream around org admin/auditors

---
 awx/main/access.py | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/awx/main/access.py b/awx/main/access.py
index 0d09c57f5e..6bd920c7fe 100644
--- a/awx/main/access.py
+++ b/awx/main/access.py
@@ -1562,21 +1562,22 @@ class ActivityStreamAccess(BaseAccess):
 
         inventory_set = Inventory.accessible_objects(self.user, 'read_role')
         credential_set = Credential.accessible_objects(self.user, 'read_role')
-        organization_set = Organization.accessible_objects(self.user, 'read_role')
-        admin_of_orgs = Organization.accessible_objects(self.user, 'admin_role')
-        group_set = Group.objects.filter(inventory__in=inventory_set)
+        auditing_orgs = (
+            Organization.accessible_objects(self.user, 'admin_role') |
+            Organization.accessible_objects(self.user, 'auditor_role')
+        ).distinct().values_list('id', flat=True)
         project_set = Project.accessible_objects(self.user, 'read_role')
         jt_set = JobTemplate.accessible_objects(self.user, 'read_role')
         team_set = Team.accessible_objects(self.user, 'read_role')
 
         return qs.filter(
             Q(ad_hoc_command__inventory__in=inventory_set) |
-            Q(user__in=organization_set.values('member_role__members')) |
+            Q(user__in=auditing_orgs.values('member_role__members')) |
             Q(user=self.user) |
-            Q(organization__in=organization_set) |
+            Q(organization__in=auditing_orgs) |
             Q(inventory__in=inventory_set) |
             Q(host__inventory__in=inventory_set) |
-            Q(group__in=group_set) |
+            Q(group__inventory__in=inventory_set) |
             Q(inventory_source__inventory__in=inventory_set) |
             Q(inventory_update__inventory_source__inventory__in=inventory_set) |
             Q(credential__in=credential_set) |
@@ -1585,10 +1586,10 @@ class ActivityStreamAccess(BaseAccess):
             Q(project_update__project__in=project_set) |
             Q(job_template__in=jt_set) |
             Q(job__job_template__in=jt_set) |
-            Q(notification_template__organization__in=admin_of_orgs) |
-            Q(notification__notification_template__organization__in=admin_of_orgs) |
-            Q(label__organization__in=organization_set) |
-            Q(role__in=Role.visible_roles(self.user))
+            Q(notification_template__organization__in=auditing_orgs) |
+            Q(notification__notification_template__organization__in=auditing_orgs) |
+            Q(label__organization__in=auditing_orgs) |
+            Q(role__in=Role.visible_roles(self.user) if auditing_orgs else [])
         ).distinct()
 
     def can_add(self, data):