Merge pull request #127 from isimluk/92-with-specs

Fix for #13291, Tenant admin can escalate rights
ManageIQ · Jan 11, 2017 · c6b67f5 · c6b67f5
2 parents c6ae722 + 8e67251
commit c6b67f5
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/app/controllers/ops_controller/ops_rbac.rb b/app/controllers/ops_controller/ops_rbac.rb
@@ -984,8 +984,8 @@ def rbac_user_set_form_vars
                          :password => @user.password,
                          :verify   => @user.password)
     end
-    # load all user groups
-    @edit[:groups] = MiqGroup.non_tenant_groups_in_my_region.sort_by { |g| g.description.downcase }.collect { |g| [g.description, g.id] }
+    # load all user groups, filter available for tenant
+    @edit[:groups] = Rbac.filtered(MiqGroup.non_tenant_groups_in_my_region).sort_by { |g| g.description.downcase }.collect { |g| [g.description, g.id] }
     # store current state of the new users information
     @edit[:current] = copy_hash(@edit[:new])
   end
@@ -1020,6 +1020,9 @@ def rbac_user_validate?
     if @edit[:new][:group].blank?
       add_flash(_("A User must be assigned to a Group"), :error)
       valid = false
+    elsif Rbac.filtered([MiqGroup.find_by_id(@edit[:new][:group])].compact).empty?
+      add_flash(_("A User must be assigned to an allowed Group"), :error)
+      valid = false
     end
     valid
   end

diff --git a/spec/controllers/ops_controller_spec.rb b/spec/controllers/ops_controller_spec.rb
@@ -46,6 +46,7 @@
   end
 
   describe 'rbac_user_edit' do
+    let(:group) { FactoryGirl.create(:miq_group) }
     before do
       ApplicationController.handle_exceptions = true
     end
@@ -58,7 +59,7 @@
           :name     => 'test7',
           :userid   => 'test7',
           :email    => '[email protected]',
-          :group    => 'test_group',
+          :group    => group.id,
           :password => 'test7',
           :verify   => 'test7',
         }
@@ -75,7 +76,7 @@
           :name     => 'test7',
           :userid   => 'test7',
           :email    => '[email protected]',
-          :group    => 'test_group',
+          :group    => group.id,
           :password => 'test7',
           :verify   => 'test8',
         }